1. 28 Mar, 2022 1 commit
    • Branko Mikić's avatar
      ALLOW_STATIC_SUBNETS revised. · f13d983d
      Branko Mikić authored
      ~ Wrong comment appended as ID to rule fixed.
      ~ Text output changed to show only subnets status text for rules successfully run.
  2. 27 Mar, 2022 1 commit
    • Branko Mikić's avatar
      Icon and Manual revised. · cc038185
      Branko Mikić authored
      ~ 'SVGs/icon.svg' file size was unusally big. Redundant data not visisble in the icon at all was removed. This shrunked size below 1 MB.
      ~ Text for 'ALLOW_DHCP' command in man page revised to be more precise and less confusing.
  3. 15 Dec, 2021 1 commit
    • Branko Mikić's avatar
      Path MTU bug fixed. ANTIFLOOD order fixed. ALLOW_MULTICAST_ADDRS revised. Subnet mapping added. · a7387e81
      Branko Mikić authored
      ~ Itched me a long time. 'ANTI-FLOOD' renamed to 'ANTIFLOOD'.
      ~ BugFix! In the ANTIFLOOD chain the shortest limit was executed first resulting in other rules below that rule never get called. This has been fixed by moving the pertained rules to be the last 'return' rule in that chain.
      ~ BugFix! ALLOW_MULTICAST_ADDRS can be used to allow any multicast traffic by omitting port numbers. Unfortunately the rules still set UDP as protocol parameter limiting all multicast traffic to udp only. Although multicast can't be used with TCP anyway it can use ICMP which would be filtered too. This is not always intented and has been fixed by omiting '-p udp' argument to iptables when no specific ports are given.
      ~ BugFix! Path MTU discovery failed for IPv6 protocols only. This has been fixed by allowing ICMP in both directions in and outbound.
      ~ New! NPTv6 or NAT_NETMAP functionality added. It allows to map whole subnets especially for IPv6 this is extremely useful when you want to replace a 'private' ULA prefix with a 'public' global one.
      ~ NAT_MASQUERADE added as an alias for POSTROUTING_MASQUERADE calls.
  4. 04 Dec, 2021 1 commit
    • Branko Mikić's avatar
      Outgoing ICMP traffic and ICMP 'echo-reply' packets fixed for IPv6 protocol · 8b14d0e7
      Branko Mikić authored
      ~ The ICMP chain was misssing the 'echo-reply' ICMP packet type which was only allowed on 'localhost' but no other host. This has been fixed by allowing any 'echo-reply' as long as it's destinied to a local address on the server.
      ~ BugFix! There's no rule explicitly configured for leaving ICMP traffic on the OUTPUT chain. This has been fixed by calling the ICMP chain in the OUTPUT chain aswell.
  5. 07 Nov, 2021 1 commit
    • Branko Mikić's avatar
      QUASH chain revised · fdb5ba9a
      Branko Mikić authored
      ~ Address type changed to UNICAST instead of complex non-LOCAL to LOCAL traffic. The term LOCAL is somewhat undifferentiated here.
      ~ BugFix! QUASH now returns http(s) RST packets from outside even when invalid. This is intended as omitting those packets causes more trouble to services depending on it than filtering 'any' invalid packet.
  6. 09 Sep, 2021 1 commit
    • Branko Mikić's avatar
      Bug fixes in DHCP chain · 72dcf1f9
      Branko Mikić authored
      ~ BugFix! In DHCP chain the reply from the server still isn't handled correctly. It get filtered although it's intended to pass. This is due to the addrtype module and it's dst-type LOCAL filter value. Although the addrtype is considered to be a local address it seem that netfilter filters it anyway. Although other rules with comparison of marked packets work this differs in one aspect. It uses the an inverted mark value via exclamation mark. Anyway the only way fix thios properly for now is to just filter for dhcp client port without any addrtype comparision.
      ~ Argument order of iptables matters so all mark comparisons in DHCP chain have been move to the first place.
  7. 02 Sep, 2021 1 commit
    • Branko Mikić's avatar
      BugFixes and various changes · 34cbc9d6
      Branko Mikić authored
      ~ BugFix! getLinkMAC() accidentally checked the hardwired 'eth2' interface regardless of the argument. This has been fixed by using the argument instead.
      ~ obtainLinkOfIP() and is_local_IP() functions added.
      ~ BugFix! On RESET the raw table rulesets were never emptied and flushed. This has been fixed.
      ~ DHCP negotiation can now differentiate between initial broadcast requests and follow up requests to extend the lease.
      For everyone wondering why a DHCP request via broadcast like > BOOTP/DHCP ... is never seen by netfilter on any outgoing chain on any table that's because most dhcp daemons are using PF_PACKET sockets for the _first_, _initial_ request which bypasses the whole netfilter.
      To keep things more confusing this doesn't apply for any 'ordinary' follow up dhcp packet (only the first one!)
      See https://unix.stackexchange.com/questions/447440/ufw-iptables-not-blocking-dhcp-udp-port-67 for details.
      ~ BugFix! In DHCP chain any returning follow-up reply packet was filtered by source port set to DHCP server port (68) which is obviously wrong here. This has been fixed by accepting reply packets with any source port number.
      For such DHCP follow-up packets additionally the destination address type now filters to LOCAL and limits it's IP address only to be received on the configured, corresponding interface.
      ~ BugFix! Limiter is too aggressive. This has been fixed by mitigating the limiter's filter for common http(s) and email traffic.
      Additionally the hashlimit has been set to a tighter setting of >8/day for every other traffic which is explicitly configured to use the LIMITER chain.
      ~ Attention! BLOCK chain has been renamed to QUASH. All packets which were send to BLOCK are now sent to QUASH (!)
      Alot of iptables log messages in the format "[BLOCK] (...)" have been chaged for the QUASH, ANTI-FLOOD, LIMITER, ... chains to avoid confusion wether blocking is intended or just notifying a packet loss. Some are now in the format: "[CHAIN_NAME] ACTION" eg: "[LIMITER] drop" or "[DHCP] packet loss".
      ~ ALLOW_STATEFUL_PACKETS now checks IP address arguments to be an IP address on a local interface of the host.
      ~ BugFix! The USER_OUT chain of ALLOW_STATEFUL_PACKETS now allows NEW, RELATED and ESTABLISHED packets to leave for interfaces with a local IP address only (!)
      This doesn't apply when using ALLOW_STATEFUL_PACKETS with an interface arg (!)
      ~ LIST now shows iptables dumps for both protocols IPv(4|6)
  8. 14 Sep, 2020 2 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      No update in a long time now they come all at once. · fab0e69a
      Branko Mikić authored
      ~ Warnings, errors and about are now printed to stderr instead stdout to keep
        the rules files clean.
      ~ Dry-run added via argument -d which will print all iptables commands instead
        of executing them.
      ~ RESET function can now reset the firewall with an optional default policy
        argument like ACCEPT, DROP and REJECT.
      ~ ALLOW_DHCP_CLIENT function and it's rules were completely revised. Since the
        new code can handle client and server modes the function has been renamed to
        ALLOW_DHCP. DHCP is hard to track in the filter chains therefore it's now
        handled in the magle table marking packets on interfaces configured by the
        ALLOW_DHCP function. The marked packets are then finally accepted in the
        filter chains. Further it allow implcit IPv6 link local addresses for the
        dhcp ports only. If you want full link local access you still need the
        ALLOW_LINK_LOCAL function.
      ~ The REMOVE_RULES functions has been renamed to REMOVE.
      ~ NEW! Now the log facility used can be selected with LOG and NFLOG argument.
        Be aware that log modes can't be mixed when additional parts of the ruleset
        are executed at later time.
      ~ setupEnv() function removed and it's code now resides in the main code. It's
        only used once.
      ~ getLinkID() function revised to avoid fails under strange bash conditions.
      ~ obtainNetPrefix() reimplemented. The old version had different problems. Some
        minor bash errors fixed which could ocur in different scenarios.
      ~ NEW! probeChains() can now handle chains from different tables. When the first
        argument starts with -t TABLENAME followed by chain names to probe.
      ~ Limiter chain revised into two stages. The first is the usual rate limiting
        eg. for people bashing on the ssh port. The second stage is triggered when
        there are IP adresses intensifying attacks which now gets blocked for longer
      ~ BLOCK chain removed and block rules placed directly into the corresponding
      ~ LOCAL chain heavily revised and is now the main chain for internal interfaces.
      ~ ALLOW_SERVICE_DISCOVERY is still available but considered obsolete. It was to
        tedious to handle any multicast traffic like mDNS, LLMNR, ... etc.
      ~ NEW! It has been replaced by ALLOW_MULTICAST_ADDRS which uses the 'addrtype'
        feature. Wihtout any optional ports argument it allows any multicast traffic
        but to achieve the same behavior as ALLOW_SERVICE_DISCOVERY it's possible to
        give a list of port arguments.
      ~ NEW! ALLOW_STATEFUL_PACKETS added to allow fine grained control of the
        stateful firewall mechanism to allow NEW packets out in only RELATED,
        ESTABLISHED packets in. Instead of allowing this for any interface this chain
        can be set for an interface explicitly which is very useful when you have
        multiple WAN interfaces.
      ~ ALLOW_LINK_LOCAL revised to limit link local traffic only on the interface it
        has been configured for. This similar to the behavior before but now the
        addrtype is additionally checked which ensures that the interface the link
        local traffic is going through is an routeable address on an interface of the
      ~ Simple LIST function added. Same like 'iptables --line-numbers -nvL'
      ~ Some error conditions were replaced by warnings and aren't stopping execution
        anymore. Especially when it's desired to place rules for interfaces which
        aren't available at the time the rule is invoked. Some may be some functions
        like ALLOW_SUBNETS or FORWARD_SUBNET which read IP addresses from the
        interfaces and therefore can only be used when the interface is already active
        but this may change in the future.
  9. 07 Feb, 2019 2 commits
    • Branko Mikić's avatar
      Update README. URL fixed. · e03c86cb
      Branko Mikić authored
    • Branko Mikić's avatar
      LIMITER implemented, BLOCK chain revised. · a8ea0dcb
      Branko Mikić authored
      ~ BLOCK chain extended to use a specific log prefix depending on mark byte set.
      ~ ANTI-FLOOD and INVALID chain now marking packets before dropping them to BLOCK chain.
      ~ LIMITER implemented using the hashlimit table feature. Can be used to eg. to avoid bashing (brute force attacks) on the ssh port.
  10. 28 Apr, 2018 2 commits
    • Branko Mikić's avatar
      minor bugs fixed! · 240d462e
      Branko Mikić authored
      ~ printKernelParams() function revised to accept nic interface names as argument instead of config options from '/proc/sys/net/ipv4/*' only. When a nic is specified as an argument all available options will be shown.
    • Branko Mikić's avatar
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac... · 0d22199b
      Branko Mikić authored
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac address was provided in upper- or lower case. This can lead to multiple MAC_FILTER rules for the same mac address instead of removing an already existing rule since the ID couldn't be found. This has been fixed!
  11. 10 Apr, 2018 1 commit
  12. 09 Apr, 2018 2 commits
    • Branko Mikić's avatar
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional... · b64ca400
      Branko Mikić authored
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional port correctly when omitted. This has been fixed.
      ~ ALLOW_PORT and FORWARD_PORT now have an optional protocol argument. When omitted ALLOW_PORT creates rules for both protocols (tcp|udp) while FORWARD_PORT defaults to tcp only.
      ~ checkProtocol() function added for argument check.
      ~ formatSubnetAsHexID() function renamed to formatAsHexID() as the function can be used on either an IP address or a subnet mask.
    • Branko Mikić's avatar
      ~ SVG project logo added. · fc9a37d3
      Branko Mikić authored
      ~ OpenOffice slide added.
  13. 20 Jul, 2017 1 commit
    • Branko Mikić's avatar
      ~ BugFix! In checkIPArgFormat() and obtainNetPrefix() the regex expression were revised. · 2e2bf5a2
      Branko Mikić authored
      ~ obtainRuleIndices() didn't force hostnames of iptables output to be numeric only but could also be a FQDN entry which lead the regex expression to fail.
      ~ BugFix! In FORWARD_SUBNET_PROTECTIVE chain the ID could easily exceed the maximum length when used with IPv6 as they can naturally grow very large if short (::) notation is omitted. Especially when such an ID is used eg. as a chain name!
      Therefore the chain name for forwarded IPv6 subnets now uses 'cksum' instead of the ID returned by formatSubnetAsHexID() function.
      The new ID format is now a shorter version to fit them into chain names as well as comment fields of iptables.
      ~ In the BASE_RULE_SET command using the ANTI-FLOOD chain on anything regardless of being internal or external traffic wasn't a good idea at all. So the new LOCAL chain now allows internal traffic before ANTI-FLOOD protection is applied while any external traffic still needs to pass the ANTI-FLOOD and INVALID chains without creating wild, complex exceptions in the BLOCK chain to dinstinguish invalid, internal traffic from invalid, external traffic.
      ~ By reordering the rules in the BASE_RULE_SET a lot of stuff was simplyfied to be used on both (IPv4|6) protocols in the same manner.
      ~ EXPERIMENTAL! A new command called 6TO4 implemented for tunneling IPv6 traffic over IPv4 links. This code is heavily experimental not meant to be used in production environments.
      ~ NEW! ALLOW_PORT (or ALLOW_SERVICE) command implemented. This is a simple version of allowing traffic for specific ports on the router to reach local daemons.
      It would be possible to do that manually by adding a rule to the USER-IN chain but this one uses iptables' 'multiport' feature so that one rule can allow multiple ports at once. Anyway ALLOW_PORT can also be used to only allow a single port per rule.
      There can be reasons to _not_ do that and have implicitly one rule for allowing one port especially when the firewall rules are tweaked at runtime and removing all ports at once isn't desired.
      ~ For IPv6 the filter for RH0 headers were removed (!) as nearly any new kernel version does that on it's own even without any netfilter.
      ~ Outbound traffic on safe ports (eg: 80,443) are now allowed by default for forwared subnets only.
  14. 17 Nov, 2016 3 commits
  15. 25 Oct, 2016 1 commit
    • Branko Mikić's avatar
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(),... · caf9aa22
      Branko Mikić authored
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(), isFloat() and isNumber() functions.
      ~ ALLOW_DHCPV6_CLIENT revised to work with both IPv(4|6) therefore the function was renamed to ALLOW_DHCP_CLIENT.
      ~ obtainRouteToIP() renamed to obtainNetPrefix() and revised to work with both IPv(4|6)
      ~ obtainNetPrefix() renamed to checkSubnetArgFormat()
      ~ NEW! checkMACArgFormat(), checkIPArgFormat() and checkSubnetArgFormat() implemented to check passed arguments.
      ~ deleteRules() revised to return the number of rules deleted. Useful when giving a feedback to the usser about deletions.
      ~ The LOG target now includes the ENVID to distinguish between logs from iptables and ip6tables. Instead of [IN|OUT|FWD-DROP] prefix the logs are now prefixed like [IN4-DROP], [OU6-DROP] or [FW4-DROP], ...
      ~ When creating chain names usally formatSubnetAsHexID() function was used but for IPv6 subents this can lead to chain names longer than 28 chars which iptables will not accept therefore chain names now use the shorter ID created from cksum with '-IN' or '-OUT' suffixes (eg: A273DBBD-OUT or A0C182C8-IN)
      ~ FORWARD_MAC_FILTER renamed to MAC_FILTER and revised to accept a chain name on which the mac filter is placed.
      ~ FORWARD_PORT|FORWARD_ROUTING implemented to allow pre- & postrouting forwards in the nat table. This function can forward through a WAN into a private subnet but can be used to forward between hosts inside a private subnet.
      ~ REMOVE_RULES revised to show only chains on which entries were deleted instead of chains processed regardless of deletions. This way the user gets a better feedback about deletions when removing rules by regex expression.
      ~ ALLOW_TUNNEL implemented. Allows a router to receive ipip, gre or sit tunnels on the given node from a specified address. At the moment sit tunnels are working, ipip and grep still needs some work to do. A hacky script added to includes/sit_tunnel.sh which is not exactly a part of ipturntables but may be useful anyway.
  16. 15 Apr, 2016 3 commits
  17. 09 Apr, 2016 3 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion... · edca0ffa
      Branko Mikić authored
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion with the RESET function of ipturntables which rather resets (clears) all rules instead of restoring a preset file.
    • root's avatar
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies... · e79331a3
      root authored
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
      ~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
      ~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
      ~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
      ~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
      ~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
  18. 28 Mar, 2016 2 commits
  19. 24 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing. · 9498bb11
      Branko Mikić authored
      ~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
      ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
  20. 23 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of... · 3eb05a9f
      Branko Mikić authored
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
      ~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
      ~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
  21. 31 Jan, 2016 1 commit