icmpv6 is evil.

master
bbruns 2014-04-12 23:55:11 +00:00
parent 10a5e966c7
commit 7b50a75f09
3 changed files with 30 additions and 1 deletions

View File

@ -209,6 +209,7 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
enable_v6_critical_icmp
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}

View File

@ -13,3 +13,4 @@ NAT="NAT"
PortForward="PortForward"
InPostRules="In-PostRules"
OutPostRules="Out-PostRules"
v6ICMP="IPv6-ICMP"

View File

@ -89,6 +89,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutPostRules}
@ -120,6 +121,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
${VER_IPTABLES} -A INPUT -j ${InPostRules}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
@ -612,3 +614,28 @@ function enable_portfw {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}
function enable_v6_critical_icmp {
VER_IPTABLES=${IP6TABLES}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
}