1. 14 Sep, 2020 2 commits
    • Branko Mikić's avatar
      19a91a97
    • Branko Mikić's avatar
      No update in a long time now they come all at once. · fab0e69a
      Branko Mikić authored
      ~ Warnings, errors and about are now printed to stderr instead stdout to keep
        the rules files clean.
      ~ Dry-run added via argument -d which will print all iptables commands instead
        of executing them.
      ~ RESET function can now reset the firewall with an optional default policy
        argument like ACCEPT, DROP and REJECT.
      ~ ALLOW_DHCP_CLIENT function and it's rules were completely revised. Since the
        new code can handle client and server modes the function has been renamed to
        ALLOW_DHCP. DHCP is hard to track in the filter chains therefore it's now
        handled in the magle table marking packets on interfaces configured by the
        ALLOW_DHCP function. The marked packets are then finally accepted in the
        filter chains. Further it allow implcit IPv6 link local addresses for the
        dhcp ports only. If you want full link local access you still need the
        ALLOW_LINK_LOCAL function.
      ~ The REMOVE_RULES functions has been renamed to REMOVE.
      ~ NEW! Now the log facility used can be selected with LOG and NFLOG argument.
        Be aware that log modes can't be mixed when additional parts of the ruleset
        are executed at later time.
      ~ setupEnv() function removed and it's code now resides in the main code. It's
        only used once.
      ~ getLinkID() function revised to avoid fails under strange bash conditions.
      ~ obtainNetPrefix() reimplemented. The old version had different problems. Some
        minor bash errors fixed which could ocur in different scenarios.
      ~ NEW! probeChains() can now handle chains from different tables. When the first
        argument starts with -t TABLENAME followed by chain names to probe.
      ~ Limiter chain revised into two stages. The first is the usual rate limiting
        eg. for people bashing on the ssh port. The second stage is triggered when
        there are IP adresses intensifying attacks which now gets blocked for longer
        periods.
      ~ BLOCK chain removed and block rules placed directly into the corresponding
        chains.
      ~ LOCAL chain heavily revised and is now the main chain for internal interfaces.
      ~ ALLOW_SERVICE_DISCOVERY is still available but considered obsolete. It was to
        tedious to handle any multicast traffic like mDNS, LLMNR, ... etc.
      ~ NEW! It has been replaced by ALLOW_MULTICAST_ADDRS which uses the 'addrtype'
        feature. Wihtout any optional ports argument it allows any multicast traffic
        but to achieve the same behavior as ALLOW_SERVICE_DISCOVERY it's possible to
        give a list of port arguments.
      ~ NEW! ALLOW_STATEFUL_PACKETS added to allow fine grained control of the
        stateful firewall mechanism to allow NEW packets out in only RELATED,
        ESTABLISHED packets in. Instead of allowing this for any interface this chain
        can be set for an interface explicitly which is very useful when you have
        multiple WAN interfaces.
      ~ ALLOW_LINK_LOCAL revised to limit link local traffic only on the interface it
        has been configured for. This similar to the behavior before but now the
        addrtype is additionally checked which ensures that the interface the link
        local traffic is going through is an routeable address on an interface of the
        host.
      ~ Simple LIST function added. Same like 'iptables --line-numbers -nvL'
      ~ Some error conditions were replaced by warnings and aren't stopping execution
        anymore. Especially when it's desired to place rules for interfaces which
        aren't available at the time the rule is invoked. Some may be some functions
        like ALLOW_SUBNETS or FORWARD_SUBNET which read IP addresses from the
        interfaces and therefore can only be used when the interface is already active
        but this may change in the future.
      fab0e69a
  2. 07 Feb, 2019 2 commits
    • Branko Mikić's avatar
      Update README. URL fixed. · e03c86cb
      Branko Mikić authored
      e03c86cb
    • Branko Mikić's avatar
      LIMITER implemented, BLOCK chain revised. · a8ea0dcb
      Branko Mikić authored
      ~ BLOCK chain extended to use a specific log prefix depending on mark byte set.
      ~ ANTI-FLOOD and INVALID chain now marking packets before dropping them to BLOCK chain.
      ~ LIMITER implemented using the hashlimit table feature. Can be used to eg. to avoid bashing (brute force attacks) on the ssh port.
      a8ea0dcb
  3. 28 Apr, 2018 2 commits
    • Branko Mikić's avatar
      minor bugs fixed! · 240d462e
      Branko Mikić authored
      ~ printKernelParams() function revised to accept nic interface names as argument instead of config options from '/proc/sys/net/ipv4/*' only. When a nic is specified as an argument all available options will be shown.
      240d462e
    • Branko Mikić's avatar
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac... · 0d22199b
      Branko Mikić authored
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac address was provided in upper- or lower case. This can lead to multiple MAC_FILTER rules for the same mac address instead of removing an already existing rule since the ID couldn't be found. This has been fixed!
      0d22199b
  4. 10 Apr, 2018 1 commit
  5. 09 Apr, 2018 2 commits
    • Branko Mikić's avatar
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional... · b64ca400
      Branko Mikić authored
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional port correctly when omitted. This has been fixed.
      ~ ALLOW_PORT and FORWARD_PORT now have an optional protocol argument. When omitted ALLOW_PORT creates rules for both protocols (tcp|udp) while FORWARD_PORT defaults to tcp only.
      ~ checkProtocol() function added for argument check.
      ~ formatSubnetAsHexID() function renamed to formatAsHexID() as the function can be used on either an IP address or a subnet mask.
      b64ca400
    • Branko Mikić's avatar
      ~ SVG project logo added. · fc9a37d3
      Branko Mikić authored
      ~ OpenOffice slide added.
      fc9a37d3
  6. 20 Jul, 2017 1 commit
    • Branko Mikić's avatar
      ~ BugFix! In checkIPArgFormat() and obtainNetPrefix() the regex expression were revised. · 2e2bf5a2
      Branko Mikić authored
      ~ obtainRuleIndices() didn't force hostnames of iptables output to be numeric only but could also be a FQDN entry which lead the regex expression to fail.
      ~ BugFix! In FORWARD_SUBNET_PROTECTIVE chain the ID could easily exceed the maximum length when used with IPv6 as they can naturally grow very large if short (::) notation is omitted. Especially when such an ID is used eg. as a chain name!
      Therefore the chain name for forwarded IPv6 subnets now uses 'cksum' instead of the ID returned by formatSubnetAsHexID() function.
      The new ID format is now a shorter version to fit them into chain names as well as comment fields of iptables.
      ~ In the BASE_RULE_SET command using the ANTI-FLOOD chain on anything regardless of being internal or external traffic wasn't a good idea at all. So the new LOCAL chain now allows internal traffic before ANTI-FLOOD protection is applied while any external traffic still needs to pass the ANTI-FLOOD and INVALID chains without creating wild, complex exceptions in the BLOCK chain to dinstinguish invalid, internal traffic from invalid, external traffic.
      ~ By reordering the rules in the BASE_RULE_SET a lot of stuff was simplyfied to be used on both (IPv4|6) protocols in the same manner.
      ~ EXPERIMENTAL! A new command called 6TO4 implemented for tunneling IPv6 traffic over IPv4 links. This code is heavily experimental not meant to be used in production environments.
      ~ NEW! ALLOW_PORT (or ALLOW_SERVICE) command implemented. This is a simple version of allowing traffic for specific ports on the router to reach local daemons.
      It would be possible to do that manually by adding a rule to the USER-IN chain but this one uses iptables' 'multiport' feature so that one rule can allow multiple ports at once. Anyway ALLOW_PORT can also be used to only allow a single port per rule.
      Attention!
      There can be reasons to _not_ do that and have implicitly one rule for allowing one port especially when the firewall rules are tweaked at runtime and removing all ports at once isn't desired.
      ~ For IPv6 the filter for RH0 headers were removed (!) as nearly any new kernel version does that on it's own even without any netfilter.
      ~ Outbound traffic on safe ports (eg: 80,443) are now allowed by default for forwared subnets only.
      2e2bf5a2
  7. 17 Nov, 2016 3 commits
  8. 25 Oct, 2016 1 commit
    • Branko Mikić's avatar
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(),... · caf9aa22
      Branko Mikić authored
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(), isFloat() and isNumber() functions.
      ~ ALLOW_DHCPV6_CLIENT revised to work with both IPv(4|6) therefore the function was renamed to ALLOW_DHCP_CLIENT.
      ~ obtainRouteToIP() renamed to obtainNetPrefix() and revised to work with both IPv(4|6)
      ~ obtainNetPrefix() renamed to checkSubnetArgFormat()
      ~ NEW! checkMACArgFormat(), checkIPArgFormat() and checkSubnetArgFormat() implemented to check passed arguments.
      ~ deleteRules() revised to return the number of rules deleted. Useful when giving a feedback to the usser about deletions.
      ~ The LOG target now includes the ENVID to distinguish between logs from iptables and ip6tables. Instead of [IN|OUT|FWD-DROP] prefix the logs are now prefixed like [IN4-DROP], [OU6-DROP] or [FW4-DROP], ...
      ~ When creating chain names usally formatSubnetAsHexID() function was used but for IPv6 subents this can lead to chain names longer than 28 chars which iptables will not accept therefore chain names now use t...
      caf9aa22
  9. 15 Apr, 2016 3 commits
  10. 09 Apr, 2016 3 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion... · edca0ffa
      Branko Mikić authored
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion with the RESET function of ipturntables which rather resets (clears) all rules instead of restoring a preset file.
      edca0ffa
    • root's avatar
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies... · e79331a3
      root authored
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
      ~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
      ~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
      ~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
      ~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
      ~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
      e79331a3
  11. 28 Mar, 2016 2 commits
  12. 24 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing. · 9498bb11
      Branko Mikić authored
      ~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
      ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
      9498bb11
  13. 23 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of... · 3eb05a9f
      Branko Mikić authored
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
      ~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
      ~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
      3eb05a9f
  14. 31 Jan, 2016 1 commit