RFC 1918 space blocking

master
bbruns 2010-09-29 23:04:48 +00:00
parent 2c331ce024
commit 441deb9023
4 changed files with 50 additions and 4 deletions

View File

@ -1,3 +1,7 @@
0.9.8 - Brielle Bruns <bruns@2mbit.com>
- Almost at v1.0 quality for my tastes
- BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
0.9.7 - Brielle Bruns <bruns@2mbit.com>
- Support for marking packets, uses new config file and
IPv4_MARK file option

View File

@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.7"
FW_VERSION="0.9.8"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default,
@ -145,6 +145,33 @@ if [ $BLOCKEDIP ]; then
echo -ne "\n"
fi
if [ "$BLOCK_OUTGOING_RFC1918" ]; then
display_c YELLOW "Blocking RFC1918 space going out on: " N
for i in $BLOCK_OUTGOING_RFC1918; do
display_c BLUE "$i" N
for x in $RFC1918_SPACE; do
$IPTABLES -A OUTPUT -d $i -s $x -j DROP
$IPTABLES -A FORWARD -d $i -s $x -j DROP
done
done
echo -ne "\n"
unset i x
fi
if [ "$BLOCK_INCOMING_RFC1918" ]; then
display_c YELLOW "Blocking RFC1918 space coming in on: " N
for i in $BLOCK_INCOMING_RFC1918; do
display_c BLUE "$i" N
for x in $RFC1918_SPACE; do
$IPTABLES -A OUTPUT -s $i -s $x -j DROP
$IPTABLES -A FORWARD -s $i -s $x -j DROP
done
done
echo -ne "\n"
unset i x
fi
if [ "$STRIPECN" ]; then
display_c YELLOW "Stripping ECN off of TCP packets to " N
for i in $STRIPECN; do

View File

@ -51,4 +51,7 @@ PROC_NET_IPV4="/proc/sys/net/ipv4/conf"
# Multiport options - override in options
NF_MULTIPORT="xt_multiport"
NF_MULTIPORT_MAX_PORTS="7"
NF_MULTIPORT_MAX_PORTS="7"
# RFC 1918 Space
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"

View File

@ -82,7 +82,6 @@ IPv4_MARK=$BASEDIR/ipv4-marks
#
HACK_IPV4="NS-IN-DDOS"
#==============
# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
# IP ranges(s) to NAT using SNAT.
@ -97,7 +96,6 @@ HACK_IPV4="NS-IN-DDOS"
# MASQ:<INT IF>:<INT IP>:<EXT IF>
#NAT_RANGE=
# IP Ranges to block all traffic incoming/outgoing
BLOCKEDIP=$BASEDIR/blocked
@ -109,6 +107,20 @@ BLOCKEDIP=$BASEDIR/blocked
# Either individual IPs or 0.0.0.0/0
STRIPECN="0.0.0.0/0"
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
# for security reasons. This has the potential to cause issues if your
# provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it
# and use BLOCK_INCOMING_RFC1981 instead.
#BLOCK_OUTGOING_RFC1918="ppp0"
# Block private LAN traffic (RFC reserved space) coming IN on these interfaces
# for security reasons. This is a bit more safer to use if your provider uses
# private IP space for the other end of PPP links.
#BLOCK_INCOMING_RFC1918="ppp0"
# RFC1918 Space override, don't change or uncomment this unless you absolutely need to
#RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# IPv6 related features. Commenting out IPV6 variable disables ALL
# IPv6 related items