瀏覽代碼

icmpv6 is evil.

tags/v2.01a1
bbruns 6 年之前
父節點
當前提交
7b50a75f09
共有 3 個檔案被更改,包括 30 行新增1 行删除
  1. +1
    -0
      bin/srfirewall
  2. +2
    -1
      etc/chains.conf
  3. +27
    -0
      lib/iptables.inc

+ 1
- 0
bin/srfirewall 查看文件

@@ -209,6 +209,7 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
enable_v6_critical_icmp
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}


+ 2
- 1
etc/chains.conf 查看文件

@@ -12,4 +12,5 @@ FwdFilter="Fwd-Filter"
NAT="NAT"
PortForward="PortForward"
InPostRules="In-PostRules"
OutPostRules="Out-PostRules"
OutPostRules="Out-PostRules"
v6ICMP="IPv6-ICMP"

+ 27
- 0
lib/iptables.inc 查看文件

@@ -89,6 +89,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutPostRules}
@@ -120,6 +121,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
${VER_IPTABLES} -A INPUT -j ${InPostRules}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
@@ -611,4 +613,29 @@ function enable_portfw {
done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

function enable_v6_critical_icmp {
VER_IPTABLES=${IP6TABLES}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
}

Loading…
取消
儲存