diff --git a/ChangeLog b/ChangeLog index 52dee30..7b61c0a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 0.9.9 - Brielle Bruns - Loadable module support during firewall loading - More init script fixes. + - Non-conntracked DNS reply packets allow options + - Slightly improved IPv6 support to start to bring + it up to par with IPv4 support.Ã 0.9.8a - Brielle Bruns - Fixing executable file permission issues diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 73a4d95..f825a1f 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -143,7 +143,6 @@ if [ "$DNS_REQUESTS_OUT" ]; then display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." for i in $DNS_REQUESTS_OUT; do if [[ "$i" =~ "|" ]]; then - echo "Original variable: ${DNS_REQUESTS_OUT}" IFS_OLD=${IFS};IFS=\| DNSREQ=($i) IFS=${IFS_OLD} @@ -599,6 +598,27 @@ if [ $IPV6 ]; then . "$BASEDIR/include/ipv4_custom_blockip" fi +if [ "$IPV6_DNS_REQUESTS_OUT" ]; then + display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.." + for i in $DNS_REQUESTS_OUT; do + if [[ "$i" =~ "|" ]]; then + IFS_OLD=${IFS};IFS=\| + DNSREQ=($i) + IFS=${IFS_OLD} + SRCIF=${DNSREQ[0]} + DNSIP_NUM=${#DNSREQ[@]} + DNSIP_COUNT_CURR=1 + for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do + if [ ${DNSREQ[$i]} ]; then + ${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT + fi + done + else + ${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT + fi + done +fi + if [ "$BLOCKEDIPV6" ]; then display_c YELLOW "Adding blocked IPv6 addresses... " for i in `grep -v "\#" $BLOCKEDIPV6`; do @@ -747,7 +767,12 @@ fi . "$BASEDIR/include/ipv6_custom_conntrack" fi - if [ $IPV6ROUTEDCLIENTBLOCK ]; then + if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then + display_c YELLOW "Loading custom IPv6 conntrack rules..." + . "$BASEDIR/include/ipv6_custom_conntrack" + fi + + if [ "$IPV6CONNTRACK" ]; then $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -757,6 +782,9 @@ fi $IP6TABLES -A INPUT -m state --state INVALID -j DROP $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP $IP6TABLES -A FORWARD -m state --state INVALID -j DROP + fi + + if [ $IPV6ROUTEDCLIENTBLOCK ]; then $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP diff --git a/include/README b/include/README index bb889cc..928e1d2 100644 --- a/include/README +++ b/include/README @@ -9,4 +9,4 @@ ipv4_custom_blockip ipv4_custom_mark ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack -ipv6_custom_routing ipv6_custom_blockincoming +ipv6_custom_routing ipv6_custom_blockincoming ipv6_custom_conntrack diff --git a/options.default b/options.default index 03b4c6c..b69df76 100755 --- a/options.default +++ b/options.default @@ -54,7 +54,7 @@ IPTABLES_MULTIPORT=auto # Allow outgoing DNS requests - important if you did not activate connection # tracking. Set this to the interfaces you wish to use for outgoing requests -# plus the IP addresses of your upstream servers (up to 3) if you need to. +# plus the IP addresses of your upstream servers (recommended up to 3) if you need to. #DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1" # TCP/UDP/Protocol to allow @@ -129,6 +129,14 @@ IPV6=1 # IPv6 Forwarding #IPV6FORWARD=1 +# Do IPv6 connection tracking? +#IPV6CONNTRACK=1 + +# Allow outgoing DNS requests - important if you did not activate connection +# tracking. Set this to the interfaces you wish to use for outgoing requests +# plus the IP addresses of your upstream servers (recommended up to 3) if you need to. +#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1" + # Default block all incoming ipv6 connections? IPV6BLOCKINCOMING=1