From 7b50a75f09240d3185aa08b37005e65f534d23f9 Mon Sep 17 00:00:00 2001 From: bbruns Date: Sat, 12 Apr 2014 23:55:11 +0000 Subject: [PATCH] icmpv6 is evil. --- bin/srfirewall | 1 + etc/chains.conf | 3 ++- lib/iptables.inc | 27 +++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/bin/srfirewall b/bin/srfirewall index c30bc41..a07545d 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -209,6 +209,7 @@ if [ "${EnableIPv6}" == "yes" ]; then [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6 [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6 + enable_v6_critical_icmp Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT} Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT} Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT} diff --git a/etc/chains.conf b/etc/chains.conf index e4b800b..93621dc 100644 --- a/etc/chains.conf +++ b/etc/chains.conf @@ -12,4 +12,5 @@ FwdFilter="Fwd-Filter" NAT="NAT" PortForward="PortForward" InPostRules="In-PostRules" -OutPostRules="Out-PostRules" \ No newline at end of file +OutPostRules="Out-PostRules" +v6ICMP="IPv6-ICMP" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index 5d7a89d..d067761 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -89,6 +89,7 @@ function setup_iptables_chains { ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat + [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP} ${VER_IPTABLES} -N ${InPostRules} ${VER_IPTABLES} -N ${OutPostRules} @@ -120,6 +121,7 @@ function setup_iptables_chains { ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi + [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP} ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules" ${VER_IPTABLES} -A INPUT -j ${InPostRules} ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules" @@ -611,4 +613,29 @@ function enable_portfw { done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" fi +} + +function enable_v6_critical_icmp { + VER_IPTABLES=${IP6TABLES} + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134-j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135-j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT + ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT } \ No newline at end of file