Mon, 30 Oct 2023 16:24:44 +0100
Version 0.0.27 Fix for igmp protocol, do not use -m option.
0 | 1 | #!/bin/bash |
2 | ||
3 | # --------------------------------------------------------------------------- | |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
4 | # Copyright (C) 2013-2023 by Michiel Broek. |
0 | 5 | # Homepage http://www.mbse.eu |
6 | # Email mbse At mbse dOt eu | |
7 | # | |
8 | # This file is part of mbse-firewall. | |
9 | # | |
10 | # This program is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
15 | # This program is distributed in the hope that it will be useful, but | |
16 | # WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with this program; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | # --------------------------------------------------------------------------- | |
24 | ||
14
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
25 | MBSEFW_VERSION="0.0.27" |
0 | 26 | |
27 | # Sanity checks | |
28 | if [ "$(id -u)" != "0" ]; then | |
29 | echo "** You must be root to run this program" | |
30 | exit 1 | |
31 | fi | |
32 | ||
33 | # If possible, log events in /var/log/messages: | |
34 | if [ -f /var/run/syslogd.pid -a -x /usr/bin/logger ]; then | |
35 | LOGGER=/usr/bin/logger | |
36 | else # output to stdout/stderr: | |
37 | LOGGER=/bin/cat | |
38 | fi | |
39 | ||
40 | ||
41 | # IPv6 enabled? | |
42 | USE_IPV6="0" | |
43 | if [ -f /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" == "0" ]; then | |
44 | USE_IPV6="1" | |
45 | fi | |
46 | ||
47 | # Find programs | |
48 | IPTABLES=$(which iptables 2>/dev/null) | |
49 | IPTABLES_SAVE=$(which iptables-save 2>/dev/null) | |
50 | IPTABLES_RESTORE=$(which iptables-restore 2>/dev/null) | |
51 | LSMOD=$(which lsmod 2>/dev/null) | |
52 | AWK=$(which awk 2>/dev/null) | |
53 | GREP=$(which grep 2>/dev/null) | |
54 | IPSET=$(which ipset 2>/dev/null) | |
55 | SYSCTL=$(which sysctl 2>/dev/null) | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
56 | NFACCT=$(which nfacct 2>/dev/null) |
0 | 57 | |
58 | if [ "$USE_IPV6" = "1" ]; then | |
59 | IP6TABLES=$(which ip6tables 2>/dev/null) | |
60 | IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) | |
61 | IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) | |
62 | fi | |
63 | ||
64 | ||
65 | # Load configuration | |
66 | if [ ! -f /etc/mbse-firewall/firewall.conf ]; then | |
67 | echo "** /etc/mbse-firewall/firewall.conf not found, abort" | |
68 | exit 1 | |
69 | fi | |
70 | . /etc/mbse-firewall/firewall.conf | |
71 | ||
72 | # Some defaults, they are replaced when configured in | |
73 | # /etc/mbse-firewall/firewall.conf | |
74 | ||
75 | IF_EXT_AUTO_TO=${IF_EXT_AUTO_TO:=3600} | |
76 | IF_EXT_AUTO_LIMIT=${IF_EXT_AUTO_LIMIT:=5/hour} | |
77 | IF_EXT_AUTO_BURST=${IF_EXT_AUTO_BURST:=10} | |
78 | ||
79 | # --------------------------------------------------------------------------- | |
80 | # | |
81 | # Functions | |
82 | # | |
83 | # --------------------------------------------------------------------------- | |
84 | ||
85 | ||
86 | # Reset iptables back to Slackware default. | |
87 | reset_iptables() { | |
88 | ||
89 | if [ -f /proc/net/ip_tables_names ]; then | |
90 | cat /proc/net/ip_tables_names | while read table; do | |
91 | $IPTABLES -t $table -L -n | while read c chain rest; do | |
92 | if test "X$c" = "XChain" ; then | |
93 | $IPTABLES -t $table -F $chain | |
94 | fi | |
95 | done | |
96 | $IPTABLES -t $table -X | |
97 | done | |
98 | ||
99 | $IPTABLES -P INPUT $1 | |
100 | $IPTABLES -P OUTPUT $1 | |
101 | $IPTABLES -P FORWARD $1 | |
102 | echo "Reset iptables default policy $1" | $LOGGER | |
103 | fi | |
104 | ||
105 | if [ "$USE_IPV6" == "1" ] && [ -f /proc/net/ip6_tables_names ]; then | |
106 | cat /proc/net/ip6_tables_names | while read table; do | |
107 | $IP6TABLES -t $table -L -n | while read c chain rest; do | |
108 | if test "X$c" = "XChain" ; then | |
109 | $IP6TABLES -t $table -F $chain | |
110 | fi | |
111 | done | |
112 | $IP6TABLES -t $table -X | |
113 | done | |
114 | $IP6TABLES -P OUTPUT $1 | |
115 | $IP6TABLES -P INPUT $1 | |
116 | $IP6TABLES -P FORWARD $1 | |
117 | echo "Reset ip6tables default policy $1" | $LOGGER | |
118 | fi | |
119 | ||
120 | # Remove any ipset tables. | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
121 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
122 | SETS="$(${IPSET} list -n | grep ${HOST})" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
123 | for MySET in ${SETS}; do |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
124 | $IPSET flush ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
125 | $IPSET destroy ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
126 | echo "Destroyed IPSET table ${MySET}" | $LOGGER |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
127 | done |
0 | 128 | } |
129 | ||
130 | ||
131 | ||
132 | is_external_if4() { | |
133 | [ "x${IF_EXT}" == "x$1" ] && return 1 | |
134 | ||
135 | return 0 | |
136 | } | |
137 | ||
138 | ||
139 | ||
140 | is_external_if6() { | |
141 | if [ "$USE_IPV6" == "1" ]; then | |
142 | [ "x${IF_EXT6}" == "x$1" ] && return 1 | |
143 | [ "x${IF_EXT}" == "x$1" -a -z "${IF_EXT6}" ] && return 1 | |
144 | fi | |
145 | ||
146 | return 0 | |
147 | } | |
148 | ||
149 | ||
150 | ||
151 | reload_blocklist4() { | |
152 | ||
153 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
154 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
155 | |
0 | 156 | if [ -f $BLOCKLIST ]; then |
157 | echo "Reload $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
158 | $IPSET create ${HOST}-new-mbsefw-blk4ip hash:ip counters -exist |
6
be2d7c142726
Fixed an error when reloading blocklists. Version 0.0.17
Michiel Broek <mbroek@mbse.eu>
parents:
5
diff
changeset
|
159 | $IPSET create ${HOST}-new-mbsefw-blk4net hash:net counters -exist |
0 | 160 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
161 | set $L | |
162 | if echo $1 | $GREP -q "/" ; then | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
163 | $IPSET add ${HOST}-new-mbsefw-blk4net $1 -exist |
0 | 164 | else |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
165 | $IPSET add ${HOST}-new-mbsefw-blk4ip $1 -exist |
0 | 166 | fi |
167 | done | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
168 | $IPSET swap ${HOST}-mbsefw-blk4net ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
169 | $IPSET flush ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
170 | $IPSET destroy ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
171 | $IPSET swap ${HOST}-mbsefw-blk4ip ${HOST}-new-mbsefw-blk4ip |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
172 | $IPSET flush ${HOST}-new-mbsefw-blk4ip |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
173 | $IPSET destroy ${HOST}-new-mbsefw-blk4ip |
0 | 174 | fi |
175 | } | |
176 | ||
177 | ||
178 | ||
179 | reload_blocklist6() { | |
180 | ||
181 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
182 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
183 | |
0 | 184 | if [ -f $BLOCKLIST ]; then |
185 | echo "Reload $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
186 | $IPSET create ${HOST}-new-mbsefw-blk6 hash:net family inet6 counters -exist |
0 | 187 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
188 | set $L ; $IPSET add ${HOST}-new-mbsefw-blk6 $1 -exist |
0 | 189 | done |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
190 | $IPSET swap ${HOST}-mbsefw-blk6 ${HOST}-new-mbsefw-blk6 |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
191 | $IPSET flush ${HOST}-new-mbsefw-blk6 |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
192 | $IPSET destroy ${HOST}-new-mbsefw-blk6 |
0 | 193 | fi |
194 | } | |
195 | ||
196 | ||
197 | ||
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
198 | fw_init_nfacct() { |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
199 | NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf" |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
200 | if [ -f $NFACCTCONF ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
201 | echo "Init netfilter accounting" | $LOGGER |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
202 | $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
203 | set $L |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
204 | if [ -z "$($NFACCT list | $GREP $1)" ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
205 | $NFACCT add $1 |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
206 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
207 | done |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
208 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
209 | } |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
210 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
211 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
212 | |
0 | 213 | fw_init_sysctl() { |
214 | # If we have bridges and don't want iptables to work between | |
215 | # the physical interfaces, turn it off. | |
216 | if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then | |
217 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 | |
218 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-ip6tables=0 | |
219 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-iptables=0 | |
220 | fi | |
221 | ||
222 | # No arp about internal interfaces across the border. | |
223 | if [ "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
224 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_ignore=1 | |
225 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_announce=1 | |
226 | fi | |
227 | } | |
228 | ||
229 | ||
230 | ||
231 | fw_start_init() { | |
232 | ||
233 | echo "Init new firewall" | $LOGGER | |
234 | ||
235 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
236 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
237 | |
0 | 238 | if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
239 | echo " Install $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
240 | $IPSET create ${HOST}-mbsefw-blk4ip hash:ip counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
241 | $IPSET create ${HOST}-mbsefw-blk4net hash:net counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
242 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
243 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
0 | 244 | if [ "$FW_FORWARD" = "1" ]; then |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
245 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
246 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
0 | 247 | fi |
248 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
249 | set $L | |
250 | if echo $1 | $GREP -q "/" ; then | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
251 | $IPSET add ${HOST}-mbsefw-blk4net $1 -exist |
0 | 252 | else |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
253 | $IPSET add ${HOST}-mbsefw-blk4ip $1 -exist |
0 | 254 | fi |
255 | done | |
256 | echo -n "." | |
257 | fi | |
258 | ||
259 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
260 | if [ -f $BLOCKLIST ]; then | |
261 | echo " Install $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
262 | $IPSET create ${HOST}-mbsefw-blk6 hash:net family inet6 counters -exist |
0 | 263 | if [ -n "$IF_EXT6" ]; then |
264 | IF6=$IF_EXT6 | |
265 | else | |
266 | IF6=$IF_EXT | |
267 | fi | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
268 | $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
0 | 269 | if [ "$FW_FORWARD" = "1" ]; then |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
270 | $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
0 | 271 | fi |
272 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
273 | set $L | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
274 | $IPSET add ${HOST}-mbsefw-blk6 $1 -exist |
0 | 275 | done |
276 | echo -n "." | |
277 | fi | |
278 | ||
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
279 | # If we use the global blocktables. |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
280 | if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
281 | $IPSET create global-blk4 hash:ip counters -exist |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
282 | $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
283 | if [ "$FW_FORWARD" = "1" ]; then |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
284 | $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
285 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
286 | if [ "$USE_IPV6" == "1" ]; then |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
287 | if [ -n "$IF_EXT6" ]; then |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
288 | IF6=$IF_EXT6 |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
289 | else |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
290 | IF6=$IF_EXT |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
291 | fi |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
292 | $IPSET create global-blk6 hash:net family inet6 counters -exist |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
293 | $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
294 | if [ "$FW_FORWARD" = "1" ]; then |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
295 | $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
296 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
297 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
298 | echo -n "." |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
299 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
300 | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
301 | fw_init_nfacct |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
302 | echo -n "." |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
303 | |
0 | 304 | # accept established and related connections |
305 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
306 | $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
307 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
308 | if [ "$USE_IPV6" == "1" ]; then | |
309 | $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
310 | $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
311 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
312 | fi | |
313 | ||
314 | # drop packets that do not match any valid state. This also blocks invalid | |
315 | # flag combinations that are used by portscans. | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
316 | $IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
0 | 317 | $IPTABLES -A INPUT -m state --state INVALID -j DROP |
318 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP | |
319 | if [ "$USE_IPV6" == "1" ]; then | |
320 | $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP | |
321 | $IP6TABLES -A INPUT -m state --state INVALID -j DROP | |
322 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state INVALID -j DROP | |
323 | fi | |
324 | ||
325 | # Allow everything on the loopback interface | |
326 | $IPTABLES -A INPUT -i lo -j ACCEPT | |
327 | $IPTABLES -A OUTPUT -o lo -j ACCEPT | |
328 | if [ "$USE_IPV6" == "1" ]; then | |
329 | $IP6TABLES -A INPUT -i lo -j ACCEPT | |
330 | $IP6TABLES -A OUTPUT -o lo -j ACCEPT | |
331 | fi | |
332 | ||
333 | # Anti spoofing on the external interface. Methods since the 3.3 kernel! | |
334 | if [ -n "$IF_EXT" ]; then | |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
335 | # was 1, now 2 for IPTV. |
0 | 336 | for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
337 | echo 2 > $f |
0 | 338 | done |
339 | $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
340 | if [ "$USE_IPV6" == "1" ]; then | |
341 | if [ -n "$IF_EXT6" ]; then | |
342 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP | |
343 | else | |
344 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
345 | fi | |
346 | fi | |
347 | # Manual anti spoofing on the interfaces is configured using the | |
348 | # interfaces configuration and only if the system is a router. | |
349 | fi | |
350 | ||
351 | # IPv4 ssh backdoor | |
352 | if [ -n "$IPV4_BACKDOOR_SSH" ]; then | |
353 | $IPTABLES -A INPUT -p tcp -m tcp -s $IPV4_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
354 | $IPTABLES -A OUTPUT -p tcp -m tcp -d $IPV4_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
355 | fi | |
356 | # IPv6 ssh backdoor | |
357 | if [ "$USE_IPV6" == "1" ] && [ -n "$IPV6_BACKDOOR_SSH" ]; then | |
358 | $IP6TABLES -A INPUT -p tcp -m tcp -s $IPV6_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
359 | $IP6TABLES -A OUTPUT -p tcp -m tcp -d $IPV6_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
360 | fi | |
361 | ||
362 | # Usefull ICMPv4 | |
363 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
364 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
365 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
366 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
367 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
368 | $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_INPUT " |
0 | 369 | $IPTABLES -A INPUT -p icmp -j DROP |
370 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
371 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT | |
372 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT | |
373 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT | |
374 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
375 | $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_OUTPUT " |
0 | 376 | $IPTABLES -A OUTPUT -p icmp -j DROP |
377 | if [ "$FW_FORWARD" = "1" ]; then | |
378 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
379 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
380 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
381 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
382 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
383 | $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_FORWARD " |
0 | 384 | $IPTABLES -A FORWARD -p icmp -j DROP |
385 | fi | |
386 | ||
387 | # If this system has enabled IPv6 ... | |
388 | if [ "$USE_IPV6" == "1" ]; then | |
389 | # ICMPv6 | |
390 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
391 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
392 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
393 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
394 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
395 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
396 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
397 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
398 | if [ "$FW_FORWARD" = "1" ]; then | |
399 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
400 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
401 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
402 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
403 | fi | |
404 | ||
405 | # Rate limited icmpv6 | |
406 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
407 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
408 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | |
409 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT | |
410 | if [ "$FW_FORWARD" = "1" ]; then | |
411 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
412 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
413 | fi | |
414 | ||
10
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
415 | if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
416 | $IP6TABLES -A INPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
417 | $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
418 | elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
419 | $IP6TABLES -A INPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
420 | $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
421 | fi |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
422 | $IP6TABLES -A INPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
423 | $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT |
798ac120a09e
Added icmpv6 code 132. Version 0.0.22
Michiel Broek <mbroek@mbse.eu>
parents:
9
diff
changeset
|
424 | |
0 | 425 | # rules to permit IPv6 Neighbor discovery |
426 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
427 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
0 | 428 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
429 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
430 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
0 | 431 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
11
c5697bee6884
Version 0.0.23 drop ICMPv6 neighbour advertisement packets with hoplimit not 256
Michiel Broek <mbroek@mbse.eu>
parents:
10
diff
changeset
|
432 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j DROP # Silent drop HOPLIMIT <> 255 |
0 | 433 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
434 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |
435 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
436 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | |
5
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
437 | # Allow inverse neighbour discovery solicitation (141) / advertisement (142) |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
438 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
439 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
440 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
441 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT |
0 | 442 | |
443 | # MLD messages. DROP on external interface, but ACCEPT on others. | |
444 | if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
445 | $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
446 | elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
447 | $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
448 | fi | |
449 | $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT | |
450 | ||
451 | # Drop unmatched icmpv6 but log them so we can debug | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
452 | $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_INPUT " |
0 | 453 | $IP6TABLES -A INPUT -p ipv6-icmp -j DROP |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
454 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_OUTPUT " |
0 | 455 | $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP |
456 | [ "$FW_FORWARD" = "1" ] && { | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
457 | $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_FORWARD " |
0 | 458 | $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
459 | } | |
460 | fi | |
461 | ||
462 | if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
463 | # ================ Tables 'filter' and 'mangle', automatic rules |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
464 | [ "$FW_FORWARD" = "1" ] && { |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
465 | $IPTABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
466 | $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
467 | if [ "$USE_IPV6" == "1" ]; then |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
468 | $IP6TABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
469 | $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
470 | fi |
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
471 | } |
0 | 472 | fi |
473 | ||
474 | # Filter all packets that have RH0 header | |
475 | if [ "$USE_IPV6" == "1" ]; then | |
476 | # Filter all packets that have RH0 header | |
477 | $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP | |
478 | $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP | |
479 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP | |
480 | ||
481 | # Allow Link-Local sddresses | |
482 | $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT | |
483 | $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT | |
484 | ||
485 | # Allow Multicast | |
486 | $IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT | |
487 | $IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT | |
488 | fi | |
489 | ||
490 | # Traceroute | |
491 | if [ "$FW_TRACEROUTE" = "1" ]; then | |
492 | $IPTABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
493 | $IPTABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
494 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
495 | if [ "$USE_IPV6" == "1" ]; then | |
496 | $IP6TABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
497 | $IP6TABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
498 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
499 | fi | |
500 | fi | |
501 | ||
502 | echo -n "." | |
503 | } | |
504 | ||
505 | ||
506 | ||
507 | fw_start_interface_chain() | |
508 | { | |
509 | local multi iodir IFS=\; | |
510 | ||
511 | INTF=$1 | |
512 | FCHAIN=$2 | |
513 | NCHAIN=$3 | |
514 | SCHAIN=$4 | |
515 | CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf" | |
516 | is_external_if4 $1 | |
517 | EXTERN4=$? | |
518 | is_external_if6 $1 | |
519 | EXTERN6=$? | |
520 | ||
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
521 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
522 | |
0 | 523 | # TODO: use subchains, but we need to do 2 passes on the config |
524 | # files to make it work. | |
525 | ||
526 | # Are there rules for this chain? | |
527 | if [ -f $CONFFILE ]; then | |
528 | echo " Start chain ${NCHAIN} on interface ${INTF} is external ipv4: ${EXTERN4} ipv6: ${EXTERN6}" | $LOGGER | |
529 | ||
530 | # Install auto blacklisting if set for this interface and this is the | |
531 | # INPUT or FORWARD chain. In /etc/mbse-firewall/firewall.conf set then | |
532 | # IF_EXT_AUTO_TO value for the block timeout. Default is 3600 seconds. | |
533 | # See the end of this function for the actual test. | |
534 | if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then | |
535 | if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then | |
536 | if [ "$EXTERN4" = "1" ]; then | |
537 | echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
538 | $IPSET create ${HOST}-mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
539 | $IPTABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto4 src -j DROP |
0 | 540 | fi |
541 | if [ "$EXTERN6" = "1" ]; then | |
542 | echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
543 | $IPSET create ${HOST}-mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
544 | $IP6TABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto6 src -j DROP |
0 | 545 | fi |
546 | fi | |
547 | fi | |
548 | ||
549 | # Adjust for the direction of the chain | |
550 | if [ "$NCHAIN" = "OUTPUT" -o "$NCHAIN" = "POSTROUTING" ]; then | |
551 | iodir="-o" | |
552 | else | |
553 | iodir="-i" | |
554 | fi | |
555 | ||
556 | # Read the configuration | |
557 | $GREP -Ev '^#|^\s*$' $CONFFILE | while read L ; do | |
558 | set $L | |
559 | # Build command | |
560 | if [ "$1" = "6" ]; then | |
561 | CMD=$IP6TABLES | |
562 | else | |
563 | CMD=$IPTABLES | |
564 | fi | |
565 | ||
566 | if [ -n "$2" ]; then | |
567 | args=("-t" "$2" "-A" "$NCHAIN" "$iodir" "${INTF}") | |
568 | else | |
569 | args=("-A" "$NCHAIN" "$iodir" "${INTF}") | |
570 | fi | |
571 | ||
572 | # Protocol | |
14
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
573 | [ -n "$3" ] && { |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
574 | if [ "$3" = "igmp" ]; then |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
575 | args+=("-p" "$3") |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
576 | else |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
577 | args+=("-p" "$3" "-m" "$3") |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
578 | fi |
654773d80b70
Version 0.0.27 Fix for igmp protocol, do not use -m option.
Michiel Broek <mbroek@mbse.eu>
parents:
13
diff
changeset
|
579 | } |
0 | 580 | |
581 | # Test for multiport | |
582 | multi=0 | |
583 | [ -n "$5$7" ] && { | |
584 | [[ $5$7 == *","* ]] && multi=1 | |
585 | [[ $5$7 == *":"* ]] && multi=1 | |
586 | } | |
587 | [ "$multi" = "1" ] && args+=("-m" "multiport") | |
588 | ||
589 | # Source address | |
590 | [ -n "$4" ] && args+=("-s" "$4") | |
591 | ||
592 | # Source port(s) | |
593 | [ -n "$5" ] && { | |
594 | multi=0 | |
595 | [[ $5 == *","* ]] && multi=1 | |
596 | [[ $5 == *":"* ]] && multi=1 | |
597 | if [ "$multi" = "1" ]; then | |
598 | args+=("--sports" "$5") | |
599 | else | |
600 | args+=("--sport" "$5") | |
601 | fi | |
602 | } | |
603 | ||
604 | # Destination address | |
605 | [ -n "$6" ] && args+=("-d" "$6") | |
606 | ||
607 | # Destination port(s) | |
608 | [ -n "$7" ] && { | |
609 | multi=0 | |
610 | [[ $7 == *","* ]] && multi=1 | |
611 | [[ $7 == *":"* ]] && multi=1 | |
612 | if [ "$multi" = "1" ]; then | |
613 | args+=("--dports" "$7") | |
614 | else | |
615 | args+=("--dport" "$7") | |
616 | fi | |
617 | } | |
618 | ||
619 | # Rule options | |
620 | [ -n "$9" ] && { | |
621 | IFS=' ' | |
622 | for arg in $9; do | |
623 | args+=("$arg") | |
624 | done | |
625 | IFS=\; | |
626 | } | |
627 | ||
628 | # Rule action | |
629 | [ -n "$8" ] && { | |
630 | IFS=' ' | |
631 | args+=("-j") | |
632 | for arg in $8; do | |
633 | args+=("$arg") | |
634 | done | |
635 | IFS=\; | |
636 | } | |
637 | ||
638 | $CMD "${args[@]}" | |
639 | rc=$? | |
640 | echo " " $CMD "${args[@]}" | $LOGGER | |
641 | if [ $rc -ne 0 ]; then | |
642 | echo "Error in $CONFFILE" | $LOGGER | |
643 | fi | |
644 | done | |
645 | ||
646 | # In PREROUTING or POSTROUTING chains we are done here. | |
647 | if [ "$NCHAIN" = "PREROUTING" -o "$NCHAIN" = "POSTROUTING" ]; then | |
648 | return | |
649 | fi | |
650 | ||
651 | # Ignore timing problems with old connections | |
652 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
653 | [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
654 | ||
655 | # Install the final autoblock rule if this is the INPUT or FORWARD chain. | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
656 | # We allow upto 5 probes per minute or a burst of 10 probes. This should be |
0 | 657 | # a good balance to catch the real bad guys. Note that until the IP is |
658 | # blocked these systems are logged using the rule below this one. | |
659 | if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then | |
660 | if [ "${EXTERN4}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
661 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
662 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
663 | # Now the real rule. |
0 | 664 | $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
665 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
666 | -j SET --add-set ${HOST}-mbsefw-auto4 src |
0 | 667 | fi |
668 | if [ "${EXTERN6}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
669 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
670 | $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
671 | # Now the real rule. |
0 | 672 | $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
673 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
674 | -j SET --add-set ${HOST}-mbsefw-auto6 src |
0 | 675 | fi |
676 | fi | |
677 | # deny and log the rest | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
678 | $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
679 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
0 | 680 | $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP |
681 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP | |
682 | echo -n "." | |
683 | fi | |
684 | } | |
685 | ||
686 | ||
687 | ||
688 | fw_start_interface() | |
689 | { | |
690 | fw_start_interface_chain $1 "prerouting" "PREROUTING" "pre" | |
691 | fw_start_interface_chain $1 "input" "INPUT" "in" | |
692 | fw_start_interface_chain $1 "output" "OUTPUT" "out" | |
693 | fw_start_interface_chain $1 "forward" "FORWARD" "fwd" | |
694 | fw_start_interface_chain $1 "postrouting" "POSTROUTING" "post" | |
695 | } | |
696 | ||
697 | ||
698 | ||
699 | fw_start_main() { | |
700 | i=0 | |
701 | ||
702 | [ -n "$IF_EXT" ] && fw_start_interface "$IF_EXT" | |
703 | [ -n "$IF_EXT6" ] && fw_start_interface "$IF_EXT6" | |
704 | ||
705 | while [ $i -lt 50 ]; | |
706 | do | |
707 | [ -z "${IF_TRUNK[$i]}" ] && break | |
708 | fw_start_interface "${IF_TRUNK[$i]}" | |
709 | i=$(($i+1)) | |
710 | done | |
711 | } | |
712 | ||
713 | ||
714 | ||
715 | fw_start_final() { | |
716 | # Deny and log everything else | |
717 | $IPTABLES -N FINAL_RULE | |
718 | $IPTABLES -A OUTPUT -j FINAL_RULE | |
719 | $IPTABLES -A INPUT -j FINAL_RULE | |
720 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
721 | $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
0 | 722 | $IPTABLES -A FINAL_RULE -j DROP |
723 | if [ "$USE_IPV6" = "1" ]; then | |
724 | $IP6TABLES -N FINAL_RULE | |
725 | $IP6TABLES -A OUTPUT -j FINAL_RULE | |
726 | $IP6TABLES -A INPUT -j FINAL_RULE | |
727 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
728 | $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
0 | 729 | $IP6TABLES -A FINAL_RULE -j DROP |
730 | fi | |
731 | echo "Firewall installed" | $LOGGER | |
732 | } | |
733 | ||
734 | ||
735 | ||
736 | fw_install() { | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
737 | echo "Installing $(basename $0) $MBSEFW_VERSION" | $LOGGER |
0 | 738 | echo -n "Installing $(basename $0) $MBSEFW_VERSION: " |
739 | reset_iptables DROP | |
740 | echo -n "." | |
741 | fw_init_sysctl | |
742 | echo -n "." | |
743 | fw_start_init | |
744 | fw_start_main | |
745 | fw_start_final | |
746 | echo " done." | |
747 | } | |
748 | ||
749 | ||
750 | ||
751 | fw_start() { | |
752 | if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ | |
753 | -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ | |
754 | -f /etc/mbse-firewall/data/firewall-ipset.data ]; then | |
755 | # Do a full restore of all saved data | |
756 | echo -n "Starting $(basename $0) $MBSEFW_VERSION: " | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
757 | echo "Starting $(basename $0) $MBSEFW_VERSION" | $LOGGER |
0 | 758 | echo "Start new firewall" | $LOGGER |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
759 | fw_init_nfacct |
0 | 760 | reset_iptables DROP |
761 | echo -n "." | |
762 | fw_init_sysctl | |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
763 | $IPSET restore -exist < /etc/mbse-firewall/data/firewall-ipset.data |
0 | 764 | echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |
765 | echo -n "." | |
766 | $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data | |
767 | echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER | |
768 | echo -n "." | |
769 | $IP6TABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv6.data | |
770 | echo " Restored /etc/mbse-firewall/data/firewall-ipv6.data" | $LOGGER | |
771 | echo " done." | |
772 | echo -n "New firewall active" | $LOGGER | |
773 | else | |
774 | # If there is no saved firewall, install a new one and save it. | |
775 | fw_install | |
776 | fw_save | |
777 | fi | |
778 | } | |
779 | ||
780 | ||
781 | ||
782 | fw_stop() { | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
783 | echo "Stopping $(basename $0) $MBSEFW_VERSION" | $LOGGER |
0 | 784 | echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " |
785 | # Slackware defaults to ACCEPT when no firewall is active. | |
786 | reset_iptables ACCEPT | |
787 | echo "done." | |
788 | } | |
789 | ||
790 | ||
791 | ||
792 | # If there are blocklist tables, reload them. | |
793 | fw_reload() { | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
794 | echo "Reload $(basename $0) $MBSEFW_VERSION" | $LOGGER |
0 | 795 | echo -n "Reload $(basename $0) $MBSEFW_VERSION: " |
796 | reload_blocklist4 | |
797 | reload_blocklist6 | |
798 | echo done. | |
799 | } | |
800 | ||
801 | ||
802 | ||
803 | fw_save() { | |
13
06b03eeae540
Version 0.0.26 Add TCPMSS also to the filter table. Log script invocation.
Michiel Broek <mbroek@mbse.eu>
parents:
12
diff
changeset
|
804 | echo "Saving $(basename $0) $MBSEFW_VERSION" | $LOGGER |
0 | 805 | echo -n "Saving $(basename $0) $MBSEFW_VERSION: " |
806 | mkdir -p /etc/mbse-firewall/data | |
807 | [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data | |
808 | echo -n "." | |
809 | [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data | |
810 | echo -n "." | |
811 | ||
812 | rm -f /etc/mbse-firewall/data/firewall-ipset.data | |
813 | touch /etc/mbse-firewall/data/firewall-ipset.data | |
12
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
814 | if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
815 | $IPSET save global-blk4 -t >> /etc/mbse-firewall/data/firewall-ipset.data |
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
816 | if [ "$USE_IPV6" == "1" ]; then |
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
817 | $IPSET save global-blk6 -t >> /etc/mbse-firewall/data/firewall-ipset.data |
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
818 | fi |
8aaa305805df
Make sure ipset tables exist.
Michiel Broek <mbroek@mbse.eu>
parents:
11
diff
changeset
|
819 | fi |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
820 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
821 | SETS="$($IPSET list -n | grep ${HOST})" |
0 | 822 | for set in $SETS ; do |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
823 | if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
0 | 824 | # Only save structure for auto blocklists |
825 | $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data | |
826 | else | |
827 | $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data | |
828 | fi | |
829 | echo -n "." | |
830 | done | |
831 | echo " done." | |
832 | echo "Save firewall done in /etc/mbse-firewall/data" | $LOGGER | |
833 | } | |
834 | ||
835 | ||
836 | ||
837 | fw_status() { | |
838 | ||
839 | echo -n "$(basename $0) $MBSEFW_VERSION" | |
840 | ||
841 | IP_MODULES=$($LSMOD | $AWK '{print $1}' | $GREP '^ip') | |
842 | if [ "${IP_MODULES}x" = "x" ]; then | |
843 | echo " - You do not have any iptables loaded." | |
844 | return | |
845 | else | |
846 | echo " - You have the following ip modules loaded:" | |
847 | echo -n " " | |
848 | echo ${IP_MODULES} | |
849 | fi | |
850 | ||
851 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_filter )" ]; then | |
852 | echo | |
853 | echo ' FILTER TABLE IPv4' | |
854 | echo | |
855 | $IPTABLES -t filter -L -n -v --line-numbers | |
856 | fi | |
857 | ||
858 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_filter )" ]; then | |
859 | echo | |
860 | echo ' FILTER TABLE IPv6' | |
861 | echo | |
862 | $IP6TABLES -t filter -L -n -v --line-numbers | |
863 | fi | |
864 | ||
865 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_nat )" ]; then | |
866 | echo | |
867 | echo ' NAT TABLE IPv4' | |
868 | echo | |
869 | $IPTABLES -t nat -L -v -n --line-numbers | |
870 | fi | |
871 | ||
872 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_nat )" ]; then | |
873 | echo | |
874 | echo ' NAT TABLE IPv6' | |
875 | echo | |
876 | $IP6TABLES -t nat -L -v -n --line-numbers | |
877 | fi | |
878 | ||
879 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_raw )" ]; then | |
880 | echo | |
881 | echo ' RAW TABLE IPv4' | |
882 | echo | |
883 | $IPTABLES -t raw -L -v -n --line-numbers | |
884 | fi | |
885 | ||
886 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_raw )" ]; then | |
887 | echo | |
888 | echo ' RAW TABLE IPv6' | |
889 | echo | |
890 | $IP6TABLES -t raw -L -v -n --line-numbers | |
891 | fi | |
892 | ||
893 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_mangle )" ]; then | |
894 | echo | |
895 | echo ' MANGLE TABLE IPv4' | |
896 | echo | |
897 | $IPTABLES -t mangle -L -v -n --line-numbers | |
898 | fi | |
899 | ||
900 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_mangle )" ]; then | |
901 | echo | |
902 | echo ' MANGLE TABLE IPv6' | |
903 | echo | |
904 | $IP6TABLES -t mangle -L -v -n --line-numbers | |
905 | fi | |
906 | ||
907 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_security )" ]; then | |
908 | echo | |
909 | echo ' SECURITY TABLE IPv4' | |
910 | echo | |
911 | $IPTABLES -t security -L -v -n --line-numbers | |
912 | fi | |
913 | ||
914 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_security )" ]; then | |
915 | echo | |
916 | echo ' SECURITY TABLE IPv6' | |
917 | echo | |
918 | $IP6TABLES -t security -L -v -n --line-numbers | |
919 | fi | |
920 | ||
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
921 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
922 | if [ -n "$IPSET" ] && [ ! -z "$($IPSET list -n | grep ${HOST})" ]; then |
0 | 923 | echo |
924 | echo ' IPSET listing' | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
925 | SETS="$(${IPSET} list -n | grep ${HOST})" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
926 | for MySET in ${SETS}; do |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
927 | echo |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
928 | ${IPSET} list ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
929 | done |
0 | 930 | fi |
931 | } | |
932 | ||
933 | ||
934 | ||
935 | # --------------------------------------------------------------------------- | |
936 | # | |
937 | # MAIN program part | |
938 | # | |
939 | # --------------------------------------------------------------------------- | |
940 | ||
941 | ||
942 | # See how we were called | |
943 | cmd=$1 | |
944 | ||
945 | case "$cmd" in | |
946 | start) | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
947 | [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd start |
0 | 948 | fw_start |
949 | ;; | |
950 | ||
951 | stop) | |
952 | fw_stop | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
953 | [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd stop |
0 | 954 | ;; |
955 | ||
956 | restart) | |
957 | fw_stop | |
9
2e298d35241f
Added options to log to syslog or nflog.
Michiel Broek <mbroek@mbse.eu>
parents:
8
diff
changeset
|
958 | [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd restart |
0 | 959 | fw_start |
960 | ;; | |
961 | ||
962 | save) | |
963 | fw_save | |
964 | ;; | |
965 | install) | |
966 | fw_install | |
967 | ;; | |
968 | reload) | |
969 | fw_reload | |
970 | ;; | |
971 | status) | |
972 | fw_status | |
973 | ;; | |
974 | ||
975 | *) | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
976 | echo "Usage $0 [start|stop|restart|save|install|reload|status]" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
977 | echo |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
978 | echo "start start a saved firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
979 | echo "stop stop firewall and set default ACCEPT state" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
980 | echo "restart stop and start the firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
981 | echo "save save current installed firewall rules" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
982 | echo "install install new firewall from configuration" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
983 | echo "reload reload the blocklists" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
984 | echo "status show the firewall rules and counters" |
0 | 985 | ;; |
986 | esac | |
987 | ||
988 |