1 #!/bin/bash |
1 #!/bin/bash |
2 |
2 |
3 # --------------------------------------------------------------------------- |
3 # --------------------------------------------------------------------------- |
4 # Copyright (C) 2013-2015 by Michiel Broek. |
4 # Copyright (C) 2013-2016 by Michiel Broek. |
5 # Homepage http://www.mbse.eu |
5 # Homepage http://www.mbse.eu |
6 # Email mbse At mbse dOt eu |
6 # Email mbse At mbse dOt eu |
7 # |
7 # |
8 # This file is part of mbse-firewall. |
8 # This file is part of mbse-firewall. |
9 # |
9 # |
20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.20" |
25 MBSEFW_VERSION="0.0.22" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
406 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT |
406 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT |
407 if [ "$FW_FORWARD" = "1" ]; then |
407 if [ "$FW_FORWARD" = "1" ]; then |
408 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT |
408 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT |
409 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
409 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
410 fi |
410 fi |
|
411 |
|
412 if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then |
|
413 $IP6TABLES -A INPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
|
414 $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
|
415 elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then |
|
416 $IP6TABLES -A INPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
|
417 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP |
|
418 fi |
|
419 $IP6TABLES -A INPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT |
|
420 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT |
411 |
421 |
412 # rules to permit IPv6 Neighbor discovery |
422 # rules to permit IPv6 Neighbor discovery |
413 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
423 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
414 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
424 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
415 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
425 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |