IPv6 blocking test
bbruns
parent
8c61205744
commit
8f7763e4af
|
|
@ -135,7 +135,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
|
|||
. "$BASEDIR/include/ipv4_custom_blockip"
|
||||
fi
|
||||
|
||||
if [ $BLOCKEDIP ]; then
|
||||
if [ "$BLOCKEDIP" ]; then
|
||||
display_c YELLOW "Adding blocked IPs... "
|
||||
for i in `grep -v "\#" $BLOCKEDIP`; do
|
||||
#echo -n "$i "
|
||||
|
|
@ -562,6 +562,65 @@ if [ $IPV6 ]; then
|
|||
$IP6TABLES -A OUTPUT -d $i -j ACCEPT
|
||||
done
|
||||
reset_color
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
|
||||
display_c YELLOW "Loading custom ip block rules..."
|
||||
. "$BASEDIR/include/ipv4_custom_blockip"
|
||||
fi
|
||||
|
||||
if [ "$BLOCKEDIPV6" ]; then
|
||||
display_c YELLOW "Adding blocked IPv6 addresses... "
|
||||
for i in `grep -v "\#" $BLOCKEDIPV6`; do
|
||||
if [[ "$i" =~ "|" ]]; then
|
||||
IFS_OLD=${IFS};IFS=\|
|
||||
ADVBLKIP=($i)
|
||||
IFS=${IFS_OLD}
|
||||
SRCIF=${ADVBLKIP[0]}
|
||||
SRCIP=${ADVBLKIP[1]}
|
||||
SRCPORT=${ADVBLKIP[2]}
|
||||
DSTIF=${ADVBLKIP[3]}
|
||||
DSTIP=${ADVBLKIP[4]}
|
||||
DSTPORT=${ADVBLKIP[5]}
|
||||
DIRECTION=${ADVBLKIP[6]}
|
||||
PROTO=${ADVBLKIP[7]}
|
||||
if [ "$SRCIF" ]; then
|
||||
SRCIF="-i ${SRCIF} "
|
||||
fi
|
||||
if [ "$SRCIP" ]; then
|
||||
SRCIP="-s ${SRCIP} "
|
||||
fi
|
||||
if [ "$SRCPORT" ]; then
|
||||
SRCPORT="--sport ${SRCPORT/-/:} "
|
||||
fi
|
||||
if [ "$DSTIF" ]; then
|
||||
DSTIF="-o ${DSTIF} "
|
||||
fi
|
||||
if [ "$DSTIP" ]; then
|
||||
DSTIP="-d ${DSTIP} "
|
||||
fi
|
||||
if [ "$DSTPORT" ]; then
|
||||
DSTPORT="--dport ${DSTPORT/-/:} "
|
||||
fi
|
||||
if [ "$PROTO" ]; then
|
||||
case $PROTO in
|
||||
TCP|tcp) PROTO="-p tcp";;
|
||||
UDP|udp) PROTO="-p udp";;
|
||||
*) PROTO="-p ${PROTO}";;
|
||||
esac
|
||||
fi
|
||||
case $DIRECTION in
|
||||
IN) DIRECTION="INPUT" ;;
|
||||
OUT) DIRECTION="OUTPUT" ;;
|
||||
FWD) DIRECTION="FORWARD" ;;
|
||||
*) DIRECTION="INPUT" ;;
|
||||
esac
|
||||
${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP
|
||||
else
|
||||
$IP6TABLES -A INPUT -s $i -j DROP
|
||||
$IP6TABLES -A OUTPUT -d $i -j DROP
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
# List of IPs to block outright
|
||||
# Two formats:
|
||||
# 1) One IP or range per line
|
||||
# 2) One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
|
||||
# <SRC IF>|<SRC IP>|<SRC PORT RNG>|<DST IF>|<DST IP>|<DST PORT RNG>|<IN/OUT/FWD>|<PROTO>
|
||||
# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG>
|
||||
# if you want to apply to all ports/interfaces/etc
|
||||
# Example:
|
||||
# - Block SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP
|
||||
# eth1|::1|80|eth0|2001::1|20-21|IN|TCP
|
||||
# Useful ones that I use at home are|
|
||||
#||6881-6999|||OUT|TCP
|
||||
|
|
@ -130,6 +130,9 @@ IPV6BLOCKINCOMING=1
|
|||
# Useful if clients do not have proper ipv6 firewalls.
|
||||
#IPV6ROUTEDCLIENTBLOCK=1
|
||||
|
||||
# IPv6 Ranges to block all traffic incoming/outgoing
|
||||
#BLOCKEDIPV6=$BASEDIR/ipv6-blocked
|
||||
|
||||
# Clamp MSS, useful on DSL/VPN links
|
||||
# Space separated list of interfaces to apply this on
|
||||
# it may be used eventually.
|
||||
|
|
|
|||
Loading…
Reference in New Issue