#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc360.fwrules - configure firewall __FLI4LVER__ # # Creation: jw5 # Last Update: $Id$ #------------------------------------------------------------------------------ pf6_in_default_rules= pf6_in_add_default () { pf6_in_default_rules="$pf6_in_default_rules $1" } pf6_fwd_default_rules= pf6_fwd_add_default () { pf6_fwd_default_rules="$pf6_fwd_default_rules $1" } pf6_out_default_rules= pf6_out_add_default () { pf6_out_default_rules="$pf6_out_default_rules $1" } pf6_prect_default_rules= pf6_prect_add_default () { pf6_prect_default_rules="$pf6_prect_default_rules $1" } pf6_outct_default_rules= pf6_outct_add_default () { pf6_outct_default_rules="$pf6_outct_default_rules $1" } pf6_iterate () { pfi_table=$1 pfi_chain=$2 pfi_name=$3 pfi_postfix=$4 pfi_method=$5 eval val=\$${pfi_name}${pfi_postfix}_N [ 0$val -eq 0 ] || for idx in `seq 1 $val` do eval rule=\$${pfi_name}${pfi_postfix}_$idx eval comment=\$${pfi_name}${pfi_postfix}_${idx}_COMMENT if [ -z "$comment" ] then comment="${pfi_name}${pfi_postfix}_$idx='$rule'" else comment="${pfi_name}${pfi_postfix}_$idx: $comment" fi add_rule6 $pfi_table $pfi_chain "$rule" "$comment" "$pfi_method" done } begin_script FWRULES6 "configuring firewall (IPv6) ..." # kristov: disable file name globbing as IPv6 addresses may occur in square # brackets [...] which are interpreted as character classes otherwise set -f # get helper functions . /etc/rc.d/fwrules-helper.ipv6 mkdir -p $ip6tables_dynrules echo 1 > $ip6tables_dynrules_idx mkdir -p $ip6tables_rules [ -f "$ipv6_tunnel_dev_file" ] && . "$ipv6_tunnel_dev_file" $IP6TABLES -F FORWARD $IP6TABLES -F INPUT $IP6TABLES -F OUTPUT do_modprobe_if_exists kernel/net/ipv6/netfilter nf_nat_ipv6 if ip6tables -t nat -L >/dev/null 2>&1 then $IP6TABLES -t nat -F POSTROUTING $IP6TABLES -t nat -F PREROUTING fi $IP6TABLES -t raw -F OUTPUT $IP6TABLES -t raw -F PREROUTING $IP6TABLES -P FORWARD DROP # forward policy is drop $IP6TABLES -P INPUT DROP # REJECT is not possible here :-( $IP6TABLES -P OUTPUT ACCEPT # output policy is accept # setup logging : ${PF6_INPUT_REJ_LIMIT:="1/second:5"} : ${PF6_INPUT_UDP_REJ_LIMIT:="1/second:5"} : ${PF6_FORWARD_REJ_LIMIT:="1/second:5"} : ${PF6_FORWARD_UDP_REJ_LIMIT:="1/second:5"} : ${PF6_OUTPUT_REJ_LIMIT:="1/second:5"} : ${PF6_OUTPUT_UDP_REJ_LIMIT:="1/second:5"} setup_logging6 "$PF6_INPUT_LOG" INPUT fw-input "$PF6_INPUT_LOG_LIMIT" "$PF6_INPUT_REJ_LIMIT" "$PF6_INPUT_UDP_REJ_LIMIT" $PF6_LOG_LEVEL setup_logging6 "$PF6_FORWARD_LOG" FORWARD fw-forward "$PF6_FORWARD_LOG_LIMIT" "$PF6_FORWARD_REJ_LIMIT" "$PF6_FORWARD_UDP_REJ_LIMIT" $PF6_LOG_LEVEL setup_logging6 "$PF6_OUTPUT_LOG" OUTPUT fw-output "$PF6_OUTPUT_LOG_LIMIT" "$PF6_OUTPUT_REJ_LIMIT" "$PF6_OUTPUT_UDP_REJ_LIMIT" $PF6_LOG_LEVEL # create ipset list >> /var/run/ipset.list #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated rulesets which # are used uncommonly #---------------------------------------------------------------------------- set +f for ext in /etc/rc.d/fwrules.ipv6.pre[0-9][0-9][0-9].* /etc/rc.d/fwrules.ipv6.pre.* do if [ -f "$ext" ] then set -f . $ext set +f fi done set -f # create user defined chains if [ 0$PF6_USR_CHAIN_N -ne 0 ]; then for idx in `seq 1 $PF6_USR_CHAIN_N` do eval add_chain6 \$PF6_USR_CHAIN_${idx}_NAME done for idx in `seq 1 $PF6_USR_CHAIN_N` do eval pf6_iterate filter \$PF6_USR_CHAIN_${idx}_NAME PF6_USR_CHAIN_${idx} _RULE done fi # input chain get_defaults6 INPUT if [ "$PF6_INPUT_ACCEPT_DEF" = 'yes' ] then case x$PF6_INPUT_ICMP_ECHO_REQ_LIMIT in xnone) limit= ;; x) limit="limit:1/second:5" ;; *) limit="limit:$PF6_INPUT_ICMP_ECHO_REQ_LIMIT" esac add_chain6 in-icmp add_rule6 filter in-icmp "prot:icmpv6:1 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:2 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:3 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:4 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:echo-request length:0-$PF6_INPUT_ICMP_ECHO_REQ_SIZE $limit ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:133 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:135 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:136 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "state:ESTABLISHED,RELATED ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "prot:icmpv6 in-icmp" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "if:lo:any ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "state:NEW ::1 DROP BIDIRECTIONAL" PF6_INPUT_ACCEPT_DEF for i in $pf6_in_default_rules; do $i done fi set_count6 INPUT pf6_iterate filter INPUT PF6_INPUT # forward chain get_defaults6 FORWARD if [ "$PF6_FORWARD_ACCEPT_DEF" = 'yes' ] then add_rule6 filter FORWARD "state:ESTABLISHED,RELATED ACCEPT" PF6_FORWARD_ACCEPT_DEF add_rule6 filter FORWARD "state:INVALID DROP" PF6_FORWARD_ACCEPT_DEF add_rule6 filter FORWARD "state:NEW ::1 DROP BIDIRECTIONAL" PF6_FORWARD_ACCEPT_DEF for i in $pf6_fwd_default_rules; do $i done fi set_count6 FORWARD # consider dropping outgoing invalid packets # add_rule6 filter OUTPUT "state:INVALID DROP" PF6_FORWARD_ACCEPT_DEF pf6_iterate filter FORWARD PF6_FORWARD # postrouting chain if ip6tables -t nat -L >/dev/null 2>&1 then pf6_iterate nat POSTROUTING PF6_POSTROUTING fi # output chain get_defaults6 OUTPUT if [ "$PF6_OUTPUT_ACCEPT_DEF" = 'yes' ] then add_rule6 filter OUTPUT "state:ESTABLISHED,RELATED ACCEPT" PF6_OUTPUT_ACCEPT_DEF for i in $pf6_out_default_rules; do $i done fi set_count6 OUTPUT pf6_iterate filter OUTPUT PF6_OUTPUT if ip6tables -t nat -L >/dev/null 2>&1 then # prerouting chain pf6_iterate nat PORTFW PF6_PREROUTING "" exec_prerouting_rule6 fi # conntrack prerouting chain pf6_iterate raw PREROUTING PF6_PREROUTING_CT if [ "$PF6_PREROUTING_CT_ACCEPT_DEF" = 'yes' ] then for i in $pf6_prect_default_rules; do $i done fi # conntrack output chain pf6_iterate raw OUTPUT PF6_OUTPUT_CT if [ "$PF6_OUTPUT_CT_ACCEPT_DEF" = 'yes' ] then for i in $pf6_outct_default_rules; do $i done fi # redirect DNS if necessary and possible if [ -s /var/run/ipset.list ] && ip6tables -t nat -L >/dev/null 2>&1 then log_info "activating transparent DNS redirection..." ins_rule6 nat PREROUTING "tmpl:dns REDIRECT" 1 "DNS query redirection" pos=1 for server in $PF6_DNS_EXCEPTIONS do ins_rule6 nat PREROUTING "tmpl:dns any $server ACCEPT" $pos "DNS redirection exception" ins_rule6 nat PREROUTING "tmpl:dns $server any ACCEPT" $pos "DNS redirection exception" done fi #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here #---------------------------------------------------------------------------- set +f for ext in /etc/rc.d/fwrules.ipv6.post.* do if [ -f "$ext" ] then set -f . $ext set +f fi done set -f # close input chain and forward chain # default policy of input and forward is DROP, for output it is ACCEPT close_chain6 INPUT $PF6_INPUT_POLICY close_chain6 FORWARD $PF6_FORWARD_POLICY close_chain6 OUTPUT $PF6_OUTPUT_POLICY #---------------------------------------------------------------------------- # enable forwarding #---------------------------------------------------------------------------- echo "1" > /proc/sys/net/ipv6/conf/all/forwarding set | grep -e "^IPV6_NET" -e "^IPV6_ROUTE" > /var/run/ip6_net.conf # kristov: re-enable file name globbing as other scripts depend on it set +f end_script