firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for MNDP and mDNS traffic.

Browse Source
This commit is contained in:
Christoph 2025-02-16 18:48:22 +01:00
parent 24d91d38c6
commit 9fd36a8236
2 changed files with 144 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
ip6t-firewall-server
View File

@ -719,6 +719,75 @@ else
fi fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && $drop_mndp ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Don't allow spoofing out from this server # - Don't allow spoofing out from this server
# --- # ---
@ -2666,11 +2735,11 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " $ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " $ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "

75
ipt-firewall-server
View File

@ -863,6 +863,72 @@ else
fi fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Don't allow spoofing from that server # - Don't allow spoofing from that server
# --- # ---
@ -2827,15 +2893,16 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
fi fi
echo_done echo_done
else else
echo_skipped echo_skipped