Commit e79331a3 authored by root's avatar root
Browse files

~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies...

~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
parent c6cce47a
...@@ -20,9 +20,9 @@ ...@@ -20,9 +20,9 @@
# or if you operate a non-routing host which has several IP addresses on different # or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this). # interfaces. (Note - If you turn on IP forwarding, you will also get this).
all: IPv4.rules IPv6.rules all: 4.rules 6.rules
IPv4.rules: 4.rules:
./ipturntables.sh -4 \ ./ipturntables.sh -4 \
KERNEL_PARAMS accept_source_route,accept_redirects,rp_filter,ip_forward \ KERNEL_PARAMS accept_source_route,accept_redirects,rp_filter,ip_forward \
PROBE_KERNEL_MODS ip_tables,nf_conntrack \ PROBE_KERNEL_MODS ip_tables,nf_conntrack \
...@@ -30,10 +30,10 @@ IPv4.rules: ...@@ -30,10 +30,10 @@ IPv4.rules:
BASE_RULE_SET \ BASE_RULE_SET \
ALLOW_SUBNETS eth0 \ ALLOW_SUBNETS eth0 \
ALLOW_SERVICE_DISCOVERY eth0 \ ALLOW_SERVICE_DISCOVERY eth0 \
>IPv4.rules LIST_RULES >4.rules
cat IPv4.rules cat 4.rules
IPv6.rules: 6.rules:
./ipturntables.sh -6 \ ./ipturntables.sh -6 \
KERNEL_PARAMS accept_source_route,accept_redirects,accept_ra,forwarding \ KERNEL_PARAMS accept_source_route,accept_redirects,accept_ra,forwarding \
PROBE_KERNEL_MODS ip6_tables,nf_conntrack \ PROBE_KERNEL_MODS ip6_tables,nf_conntrack \
...@@ -41,10 +41,14 @@ IPv6.rules: ...@@ -41,10 +41,14 @@ IPv6.rules:
BASE_RULE_SET \ BASE_RULE_SET \
ALLOW_SUBNETS eth0 \ ALLOW_SUBNETS eth0 \
ALLOW_SERVICE_DISCOVERY eth0 \ ALLOW_SERVICE_DISCOVERY eth0 \
>IPv6.rules LIST_RULES >6.rules
cat IPv6.rules cat 6.rules
debug.rules: reset: 4.rules 6.rules
iptables-restore <4.rules
ip6tables-restore <6.rules
debug:
./ipturntables.sh -4 \ ./ipturntables.sh -4 \
DEBUG_CHAIN INPUT DEBUG_CHAIN INPUT
DEBUG_CHAIN OUTPUT DEBUG_CHAIN OUTPUT
......
...@@ -479,8 +479,14 @@ formatSubnetAsHexID() { ...@@ -479,8 +479,14 @@ formatSubnetAsHexID() {
$IPTABLES -P FORWARD DROP $IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP $IPTABLES -P OUTPUT DROP
# same as block but logs invalid pakets explicitly
$IPTABLES -N INVALID
$IPTABLES -A INVALID -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] (INVALID) "
$IPTABLES -A INVALID -j DROP
# create a LOG & DROP chain # create a LOG & DROP chain
$IPTABLES -N BLOCK $IPTABLES -N BLOCK
$IPTABLES -A BLOCK -m state --state INVALID -j INVALID
$IPTABLES -A BLOCK -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] " $IPTABLES -A BLOCK -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] "
$IPTABLES -A BLOCK -j DROP $IPTABLES -A BLOCK -j DROP
...@@ -531,8 +537,6 @@ formatSubnetAsHexID() { ...@@ -531,8 +537,6 @@ formatSubnetAsHexID() {
$IPTABLES -A INPUT -p icmp -j ICMP $IPTABLES -A INPUT -p icmp -j ICMP
$IPTABLES -A INPUT -m state --state INVALID -j BLOCK $IPTABLES -A INPUT -m state --state INVALID -j BLOCK
# $IPTABLES -A INPUT -m state --state INVALID -m limit --limit 4/min --limit-burst 8 -j LOG --log-prefix "[BLOCK] (INVALID) "
# $IPTABLES -A INPUT -m state --state INVALID -j DROP
# syn-flood protection # syn-flood protection
$IPTABLES -A INPUT -p tcp --syn -j ANTI-FLOOD $IPTABLES -A INPUT -p tcp --syn -j ANTI-FLOOD
...@@ -574,11 +578,11 @@ formatSubnetAsHexID() { ...@@ -574,11 +578,11 @@ formatSubnetAsHexID() {
# ~~~ INPUT # ~~~ INPUT
# ICMP: special handling on router|neighbor solicitation|advertisments hop limits # ICMP: handling of router|neighbor solicitation|advertisments (with special hop limits)
$IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT $IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "multicast listener done"
$IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT $IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "router advertisement"
$IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT $IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "neighbor solicitation"
$IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IPTABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "neighbor advertisement"
# stateful packets intiated by ourself coming back # stateful packets intiated by ourself coming back
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
...@@ -602,8 +606,11 @@ formatSubnetAsHexID() { ...@@ -602,8 +606,11 @@ formatSubnetAsHexID() {
# ~~~ OUTPUT # ~~~ OUTPUT
$IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT # ICMP: handling of router|neighbor solicitation|advertisments (with special hop limits)
$IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "multicast listener done"
$IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "neighbor solicitation"
$IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -m comment --comment "neighbor advertisement"
$IPTABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT -m comment --comment "V2 multicast listener report"
fi fi
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ for both IPv(4|6) # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ for both IPv(4|6)
...@@ -905,6 +912,10 @@ formatSubnetAsHexID() { ...@@ -905,6 +912,10 @@ formatSubnetAsHexID() {
shift; shift;
;; ;;
VERBOSE|LIST_RULES|SHOW_RULES)
$IPTABLES-save
;;
# MARK_PACKET) # MARK_PACKET)
# # mark a packet with a value of 1 # # mark a packet with a value of 1
# $IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1 # $IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1
...@@ -920,6 +931,5 @@ formatSubnetAsHexID() { ...@@ -920,6 +931,5 @@ formatSubnetAsHexID() {
esac esac
done done
$IPTABLES-save
echo "#~~~ created by ${0##*/}" echo "#~~~ created by ${0##*/}"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment