forked from freifunk-franken/firmware
fff-firewall: new package
- moves the node<-->client ra rules to package fff-uradvd Signed-off-by: Tim Niemeyer <tim@tn-x.org> Reviewed-by: Tobias Klaus <tk+ff@meskal.net> Reviewed-by: Jan Kraus <mayosemmel@gmail.com>
This commit is contained in:
parent
7f42d5c4ec
commit
b61830c304
|
@ -1,103 +0,0 @@
|
|||
config defaults
|
||||
option syn_flood 1
|
||||
option input ACCEPT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name lan
|
||||
option input ACCEPT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name wan
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src lan
|
||||
option dest wan
|
||||
|
||||
# We need to accept udp packets on port 68,
|
||||
# see https://dev.openwrt.org/ticket/4108
|
||||
config rule
|
||||
option src wan
|
||||
option proto udp
|
||||
option dest_port 68
|
||||
option target ACCEPT
|
||||
|
||||
#Allow ping
|
||||
config rule
|
||||
option src wan
|
||||
option proto icmp
|
||||
option icmp_type echo-request
|
||||
option target ACCEPT
|
||||
|
||||
#Allow SSH on WAN
|
||||
config rule
|
||||
option src wan
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
option proto tcp
|
||||
|
||||
# include a file with users custom iptables rules
|
||||
config include
|
||||
option path /etc/firewall.user
|
||||
|
||||
|
||||
### EXAMPLE CONFIG SECTIONS
|
||||
# do not allow a specific ip to access wan
|
||||
#config rule
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option dest wan
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
# block a specific mac on wan
|
||||
#config rule
|
||||
# option dest wan
|
||||
# option src_mac 00:11:22:33:44:66
|
||||
# option target REJECT
|
||||
|
||||
# block incoming ICMP traffic on a zone
|
||||
#config rule
|
||||
# option src lan
|
||||
# option proto ICMP
|
||||
# option target DROP
|
||||
|
||||
# port redirect port coming in on wan to lan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 80
|
||||
# option dest lan
|
||||
# option dest_ip 192.168.16.235
|
||||
# option dest_port 80
|
||||
# option proto tcp
|
||||
|
||||
|
||||
### FULL CONFIG SECTIONS
|
||||
#config rule
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 80
|
||||
# option dest wan
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
#config redirect
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 1024
|
||||
# option src_dport 80
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
|
@ -1,120 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
#solves MTU problem with bad ISPs
|
||||
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
|
||||
# Das wirkt bei kleinen Geräten wie ein DOS
|
||||
WAN=$(uci get network.wan.ifname)
|
||||
iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -i $WAN -j REJECT
|
||||
|
||||
# Limit ssh to 3 new connections per 60 seconds
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
|
||||
|
||||
|
||||
# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
|
||||
|
||||
######## CLEAN UP ############
|
||||
ebtables -F
|
||||
ebtables -X
|
||||
|
||||
######## IN_ONLY ############
|
||||
ebtables -N IN_ONLY -P RETURN
|
||||
|
||||
# Daten aus dem BATMAN werden erlaubt
|
||||
# Alles außer Daten von BATMAN werden DROP'ed
|
||||
ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
|
||||
|
||||
######## OUT_ONLY ############
|
||||
ebtables -N OUT_ONLY -P RETURN
|
||||
|
||||
# Daten ins BATMAN werden erlaubt
|
||||
# Alles außer Daten ins BATMAN werden DROP'ed
|
||||
ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
|
||||
|
||||
######## MULTICAST_OUT ############
|
||||
ebtables -N MULTICAST_OUT -P DROP
|
||||
|
||||
# Verbiete ARP Antworten an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
||||
# Verbiete ARP Requests an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
||||
# Erlaube alle anderen ARP's
|
||||
ebtables -A MULTICAST_OUT -p ARP -j RETURN
|
||||
# Erlaube DHCP Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
||||
# Erlaube DHCPv6 Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
||||
# Erlaube PING
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
|
||||
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
|
||||
# Erlaube PINGv6
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
||||
# Erlaube Organisation der Multicast Gruppen
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
|
||||
|
||||
######## INPUT ############
|
||||
ebtables -P INPUT ACCEPT
|
||||
|
||||
# Erlaube router solicitation von client zu knoten
|
||||
ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
||||
ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
|
||||
|
||||
# No input from/to local node ip from batman
|
||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
||||
|
||||
######## FORWARD ############
|
||||
ebtables -P FORWARD ACCEPT
|
||||
|
||||
# Do not forward local node ip
|
||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
|
||||
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
||||
|
||||
######## OUTPUT ############
|
||||
ebtables -P OUTPUT ACCEPT
|
||||
|
||||
# Erlaube router advertisment von knoten zu client
|
||||
ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
||||
|
||||
# Do not output local node ip to batman
|
||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
|
||||
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
||||
# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
|
@ -56,8 +56,6 @@ fi
|
|||
# Starting NTP-Client Daemon after 30s to ensure that the interface is up
|
||||
( sleep 30 ; ntpd -p ${NTPD_IP} ) &
|
||||
|
||||
. /etc/firewall.user
|
||||
|
||||
/etc/init.d/qos disable
|
||||
/etc/init.d/qos stop
|
||||
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=fff-firewall
|
||||
PKG_VERSION:=1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
define Package/fff-firewall
|
||||
SECTION:=base
|
||||
CATEGORY:=Freifunk
|
||||
TITLE:=Freifunk-Franken firewall
|
||||
URL:=http://www.freifunk-franken.de
|
||||
DEPENDS:=+arptables \
|
||||
+ebtables +ebtables-utils \
|
||||
+kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
|
||||
+iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
|
||||
endef
|
||||
|
||||
define Package/fff-firewall/description
|
||||
This is the firewall for the Freifunk Franken Firmware
|
||||
It is used to configure firewall.
|
||||
endef
|
||||
|
||||
define Build/Prepare
|
||||
echo "all: " > $(PKG_BUILD_DIR)/Makefile
|
||||
endef
|
||||
|
||||
define Build/Configure
|
||||
# nothing
|
||||
endef
|
||||
|
||||
define Build/Compile
|
||||
# nothing
|
||||
endef
|
||||
|
||||
define Package/fff-firewall/install
|
||||
$(CP) ./files/* $(1)/
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,fff-firewall))
|
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh /etc/rc.common
|
||||
|
||||
START=50
|
||||
|
||||
USE_PROCD=1
|
||||
|
||||
SERVICE_WRITE_PID=1
|
||||
SERVICE_DAEMONIZE=1
|
||||
|
||||
FIREWALL_DIR=/usr/lib/firewall.d
|
||||
|
||||
service_triggers()
|
||||
{
|
||||
procd_add_reload_trigger "fff-firewall"
|
||||
}
|
||||
|
||||
start_service()
|
||||
{
|
||||
local file
|
||||
|
||||
IF_WAN=$(uci get network.wan.ifname)
|
||||
|
||||
for file in ${FIREWALL_DIR}/*; do
|
||||
if [ -f "$file" ]; then
|
||||
. "$file"
|
||||
fi
|
||||
done
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
######## CLEAN UP ############
|
||||
ebtables -F
|
||||
ebtables -X
|
||||
|
||||
iptables -F
|
||||
iptables -X
|
|
@ -0,0 +1,34 @@
|
|||
######## IN_ONLY ############
|
||||
ebtables -N IN_ONLY -P RETURN
|
||||
|
||||
# Daten aus dem BATMAN werden erlaubt
|
||||
# Alles ausser Daten von BATMAN werden DROP'ed
|
||||
ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
|
||||
|
||||
######## OUT_ONLY ############
|
||||
ebtables -N OUT_ONLY -P RETURN
|
||||
|
||||
# Daten ins BATMAN werden erlaubt
|
||||
# Alles ausser Daten ins BATMAN werden DROP'ed
|
||||
ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
|
||||
|
||||
######## MULTICAST_OUT ############
|
||||
ebtables -N MULTICAST_OUT -P DROP
|
||||
|
||||
######## INPUT ############
|
||||
ebtables -P INPUT ACCEPT
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
|
||||
ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
|
||||
|
||||
######## FORWARD ############
|
||||
ebtables -P FORWARD ACCEPT
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
||||
|
||||
######## OUTPUT ############
|
||||
ebtables -P OUTPUT ACCEPT
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
|
@ -0,0 +1,2 @@
|
|||
#solves MTU problem with bad ISPs
|
||||
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
@ -0,0 +1,7 @@
|
|||
# If an router has a direct internet connection simple attack act as DOS attack
|
||||
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -i $IF_WAN -j REJECT
|
||||
|
||||
# Limit ssh to 3 new connections per 60 seconds
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
|
|
@ -0,0 +1,8 @@
|
|||
# Erlaube DHCP Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
||||
|
||||
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
|
@ -0,0 +1,8 @@
|
|||
# Erlaube DHCPv6 Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
||||
|
||||
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
|
@ -0,0 +1,5 @@
|
|||
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
|
@ -0,0 +1,5 @@
|
|||
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
|
||||
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
|
@ -0,0 +1,5 @@
|
|||
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
|
||||
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
|
@ -0,0 +1,11 @@
|
|||
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
|
||||
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
||||
|
||||
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
|
||||
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
|
@ -0,0 +1,6 @@
|
|||
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
|
||||
|
||||
# Erlaube Organisation der Multicast Gruppen
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Verbiete ARP Antworten an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
||||
|
||||
# Verbiete ARP Requests an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
||||
|
||||
# Erlaube alle anderen ARP's
|
||||
ebtables -A MULTICAST_OUT -p ARP -j RETURN
|
|
@ -0,0 +1,6 @@
|
|||
# Erlaube PING
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
|
||||
|
||||
# Erlaube PINGv6
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# No input from/to local node ip from batman
|
||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
|
||||
# Do not forward local node ip
|
||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
|
||||
# Do not output local node ip to batman
|
||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
|
@ -0,0 +1,5 @@
|
|||
# Erlaube router solicitation von client zu knoten
|
||||
ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
||||
|
||||
# Erlaube router advertisment von knoten zu client
|
||||
ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
Loading…
Reference in New Issue