forked from freifunk-franken/firmware
fff-firewall: new package
- moves the node<-->client ra rules to package fff-uradvd Signed-off-by: Tim Niemeyer <tim@tn-x.org> Reviewed-by: Tobias Klaus <tk+ff@meskal.net> Reviewed-by: Jan Kraus <mayosemmel@gmail.com>
This commit is contained in:
parent
7f42d5c4ec
commit
b61830c304
|
@ -1,103 +0,0 @@
|
||||||
config defaults
|
|
||||||
option syn_flood 1
|
|
||||||
option input ACCEPT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
|
|
||||||
config zone
|
|
||||||
option name lan
|
|
||||||
option input ACCEPT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
|
|
||||||
config zone
|
|
||||||
option name wan
|
|
||||||
option input REJECT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
option masq 1
|
|
||||||
option mtu_fix 1
|
|
||||||
|
|
||||||
config forwarding
|
|
||||||
option src lan
|
|
||||||
option dest wan
|
|
||||||
|
|
||||||
# We need to accept udp packets on port 68,
|
|
||||||
# see https://dev.openwrt.org/ticket/4108
|
|
||||||
config rule
|
|
||||||
option src wan
|
|
||||||
option proto udp
|
|
||||||
option dest_port 68
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
#Allow ping
|
|
||||||
config rule
|
|
||||||
option src wan
|
|
||||||
option proto icmp
|
|
||||||
option icmp_type echo-request
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
#Allow SSH on WAN
|
|
||||||
config rule
|
|
||||||
option src wan
|
|
||||||
option dest_port 22
|
|
||||||
option target ACCEPT
|
|
||||||
option proto tcp
|
|
||||||
|
|
||||||
# include a file with users custom iptables rules
|
|
||||||
config include
|
|
||||||
option path /etc/firewall.user
|
|
||||||
|
|
||||||
|
|
||||||
### EXAMPLE CONFIG SECTIONS
|
|
||||||
# do not allow a specific ip to access wan
|
|
||||||
#config rule
|
|
||||||
# option src lan
|
|
||||||
# option src_ip 192.168.45.2
|
|
||||||
# option dest wan
|
|
||||||
# option proto tcp
|
|
||||||
# option target REJECT
|
|
||||||
|
|
||||||
# block a specific mac on wan
|
|
||||||
#config rule
|
|
||||||
# option dest wan
|
|
||||||
# option src_mac 00:11:22:33:44:66
|
|
||||||
# option target REJECT
|
|
||||||
|
|
||||||
# block incoming ICMP traffic on a zone
|
|
||||||
#config rule
|
|
||||||
# option src lan
|
|
||||||
# option proto ICMP
|
|
||||||
# option target DROP
|
|
||||||
|
|
||||||
# port redirect port coming in on wan to lan
|
|
||||||
#config redirect
|
|
||||||
# option src wan
|
|
||||||
# option src_dport 80
|
|
||||||
# option dest lan
|
|
||||||
# option dest_ip 192.168.16.235
|
|
||||||
# option dest_port 80
|
|
||||||
# option proto tcp
|
|
||||||
|
|
||||||
|
|
||||||
### FULL CONFIG SECTIONS
|
|
||||||
#config rule
|
|
||||||
# option src lan
|
|
||||||
# option src_ip 192.168.45.2
|
|
||||||
# option src_mac 00:11:22:33:44:55
|
|
||||||
# option src_port 80
|
|
||||||
# option dest wan
|
|
||||||
# option dest_ip 194.25.2.129
|
|
||||||
# option dest_port 120
|
|
||||||
# option proto tcp
|
|
||||||
# option target REJECT
|
|
||||||
|
|
||||||
#config redirect
|
|
||||||
# option src lan
|
|
||||||
# option src_ip 192.168.45.2
|
|
||||||
# option src_mac 00:11:22:33:44:55
|
|
||||||
# option src_port 1024
|
|
||||||
# option src_dport 80
|
|
||||||
# option dest_ip 194.25.2.129
|
|
||||||
# option dest_port 120
|
|
||||||
# option proto tcp
|
|
|
@ -1,120 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
#solves MTU problem with bad ISPs
|
|
||||||
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
||||||
|
|
||||||
# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
|
|
||||||
# Das wirkt bei kleinen Geräten wie ein DOS
|
|
||||||
WAN=$(uci get network.wan.ifname)
|
|
||||||
iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
iptables -A INPUT -i $WAN -j REJECT
|
|
||||||
|
|
||||||
# Limit ssh to 3 new connections per 60 seconds
|
|
||||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
|
|
||||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
|
|
||||||
|
|
||||||
|
|
||||||
# Im folgenden ebtables rules, die unnötigen Broadcast-Overhead reduzieren sollen:
|
|
||||||
|
|
||||||
######## CLEAN UP ############
|
|
||||||
ebtables -F
|
|
||||||
ebtables -X
|
|
||||||
|
|
||||||
######## IN_ONLY ############
|
|
||||||
ebtables -N IN_ONLY -P RETURN
|
|
||||||
|
|
||||||
# Daten aus dem BATMAN werden erlaubt
|
|
||||||
# Alles außer Daten von BATMAN werden DROP'ed
|
|
||||||
ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
|
|
||||||
|
|
||||||
######## OUT_ONLY ############
|
|
||||||
ebtables -N OUT_ONLY -P RETURN
|
|
||||||
|
|
||||||
# Daten ins BATMAN werden erlaubt
|
|
||||||
# Alles außer Daten ins BATMAN werden DROP'ed
|
|
||||||
ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
|
|
||||||
|
|
||||||
######## MULTICAST_OUT ############
|
|
||||||
ebtables -N MULTICAST_OUT -P DROP
|
|
||||||
|
|
||||||
# Verbiete ARP Antworten an alle
|
|
||||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
|
||||||
# Verbiete ARP Requests an alle
|
|
||||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
|
||||||
# Erlaube alle anderen ARP's
|
|
||||||
ebtables -A MULTICAST_OUT -p ARP -j RETURN
|
|
||||||
# Erlaube DHCP Requests
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
|
||||||
# Erlaube DHCPv6 Requests
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
|
||||||
# Erlaube PING
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
|
|
||||||
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
|
|
||||||
# Erlaube PINGv6
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
|
||||||
# Erlaube Organisation der Multicast Gruppen
|
|
||||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
|
|
||||||
|
|
||||||
######## INPUT ############
|
|
||||||
ebtables -P INPUT ACCEPT
|
|
||||||
|
|
||||||
# Erlaube router solicitation von client zu knoten
|
|
||||||
ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
|
||||||
ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
|
|
||||||
|
|
||||||
# No input from/to local node ip from batman
|
|
||||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
|
||||||
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
|
||||||
|
|
||||||
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
|
||||||
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
|
||||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
|
||||||
ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
|
||||||
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
|
||||||
ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
|
||||||
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
|
||||||
ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
|
||||||
|
|
||||||
######## FORWARD ############
|
|
||||||
ebtables -P FORWARD ACCEPT
|
|
||||||
|
|
||||||
# Do not forward local node ip
|
|
||||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
|
||||||
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
|
||||||
|
|
||||||
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
|
||||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
|
||||||
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
|
||||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
|
||||||
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
|
||||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
|
||||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
|
||||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
|
||||||
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
|
||||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
|
||||||
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
|
||||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
|
||||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
|
|
||||||
ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
|
||||||
|
|
||||||
######## OUTPUT ############
|
|
||||||
ebtables -P OUTPUT ACCEPT
|
|
||||||
|
|
||||||
# Erlaube router advertisment von knoten zu client
|
|
||||||
ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
|
||||||
|
|
||||||
# Do not output local node ip to batman
|
|
||||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
|
||||||
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
|
||||||
|
|
||||||
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
|
||||||
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
|
||||||
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
|
||||||
ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
|
||||||
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
|
||||||
ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
|
||||||
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
|
||||||
ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
|
||||||
# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
|
|
||||||
ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
|
|
@ -56,8 +56,6 @@ fi
|
||||||
# Starting NTP-Client Daemon after 30s to ensure that the interface is up
|
# Starting NTP-Client Daemon after 30s to ensure that the interface is up
|
||||||
( sleep 30 ; ntpd -p ${NTPD_IP} ) &
|
( sleep 30 ; ntpd -p ${NTPD_IP} ) &
|
||||||
|
|
||||||
. /etc/firewall.user
|
|
||||||
|
|
||||||
/etc/init.d/qos disable
|
/etc/init.d/qos disable
|
||||||
/etc/init.d/qos stop
|
/etc/init.d/qos stop
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=fff-firewall
|
||||||
|
PKG_VERSION:=1
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-firewall
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/fff-firewall
|
||||||
|
SECTION:=base
|
||||||
|
CATEGORY:=Freifunk
|
||||||
|
TITLE:=Freifunk-Franken firewall
|
||||||
|
URL:=http://www.freifunk-franken.de
|
||||||
|
DEPENDS:=+arptables \
|
||||||
|
+ebtables +ebtables-utils \
|
||||||
|
+kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
|
||||||
|
+iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/fff-firewall/description
|
||||||
|
This is the firewall for the Freifunk Franken Firmware
|
||||||
|
It is used to configure firewall.
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Prepare
|
||||||
|
echo "all: " > $(PKG_BUILD_DIR)/Makefile
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
# nothing
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
# nothing
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/fff-firewall/install
|
||||||
|
$(CP) ./files/* $(1)/
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,fff-firewall))
|
|
@ -0,0 +1,28 @@
|
||||||
|
#!/bin/sh /etc/rc.common
|
||||||
|
|
||||||
|
START=50
|
||||||
|
|
||||||
|
USE_PROCD=1
|
||||||
|
|
||||||
|
SERVICE_WRITE_PID=1
|
||||||
|
SERVICE_DAEMONIZE=1
|
||||||
|
|
||||||
|
FIREWALL_DIR=/usr/lib/firewall.d
|
||||||
|
|
||||||
|
service_triggers()
|
||||||
|
{
|
||||||
|
procd_add_reload_trigger "fff-firewall"
|
||||||
|
}
|
||||||
|
|
||||||
|
start_service()
|
||||||
|
{
|
||||||
|
local file
|
||||||
|
|
||||||
|
IF_WAN=$(uci get network.wan.ifname)
|
||||||
|
|
||||||
|
for file in ${FIREWALL_DIR}/*; do
|
||||||
|
if [ -f "$file" ]; then
|
||||||
|
. "$file"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
######## CLEAN UP ############
|
||||||
|
ebtables -F
|
||||||
|
ebtables -X
|
||||||
|
|
||||||
|
iptables -F
|
||||||
|
iptables -X
|
|
@ -0,0 +1,34 @@
|
||||||
|
######## IN_ONLY ############
|
||||||
|
ebtables -N IN_ONLY -P RETURN
|
||||||
|
|
||||||
|
# Daten aus dem BATMAN werden erlaubt
|
||||||
|
# Alles ausser Daten von BATMAN werden DROP'ed
|
||||||
|
ebtables -A IN_ONLY -i ! bat0 --logical-in br-mesh -j DROP
|
||||||
|
|
||||||
|
######## OUT_ONLY ############
|
||||||
|
ebtables -N OUT_ONLY -P RETURN
|
||||||
|
|
||||||
|
# Daten ins BATMAN werden erlaubt
|
||||||
|
# Alles ausser Daten ins BATMAN werden DROP'ed
|
||||||
|
ebtables -A OUT_ONLY --logical-out br-mesh -o ! bat0 -j DROP
|
||||||
|
|
||||||
|
######## MULTICAST_OUT ############
|
||||||
|
ebtables -N MULTICAST_OUT -P DROP
|
||||||
|
|
||||||
|
######## INPUT ############
|
||||||
|
ebtables -P INPUT ACCEPT
|
||||||
|
|
||||||
|
# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
|
||||||
|
ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
|
||||||
|
|
||||||
|
######## FORWARD ############
|
||||||
|
ebtables -P FORWARD ACCEPT
|
||||||
|
|
||||||
|
# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
|
||||||
|
ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
||||||
|
|
||||||
|
######## OUTPUT ############
|
||||||
|
ebtables -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
|
||||||
|
ebtables -A OUTPUT -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
|
|
@ -0,0 +1,2 @@
|
||||||
|
#solves MTU problem with bad ISPs
|
||||||
|
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
@ -0,0 +1,7 @@
|
||||||
|
# If an router has a direct internet connection simple attack act as DOS attack
|
||||||
|
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
iptables -A INPUT -i $IF_WAN -j REJECT
|
||||||
|
|
||||||
|
# Limit ssh to 3 new connections per 60 seconds
|
||||||
|
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
|
||||||
|
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name dropbear -j DROP
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Erlaube DHCP Requests
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
||||||
|
|
||||||
|
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
||||||
|
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||||
|
|
||||||
|
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
||||||
|
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Erlaube DHCPv6 Requests
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
||||||
|
|
||||||
|
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
||||||
|
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||||
|
|
||||||
|
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
||||||
|
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
||||||
|
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||||
|
|
||||||
|
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
||||||
|
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
||||||
|
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||||
|
|
||||||
|
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
||||||
|
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
||||||
|
ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||||
|
|
||||||
|
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
||||||
|
ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
|
@ -0,0 +1,11 @@
|
||||||
|
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
||||||
|
ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||||
|
|
||||||
|
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
||||||
|
ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
||||||
|
|
||||||
|
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
||||||
|
ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||||
|
|
||||||
|
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
||||||
|
ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
|
||||||
|
|
||||||
|
# Erlaube Organisation der Multicast Gruppen
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
# Verbiete ARP Antworten an alle
|
||||||
|
ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
||||||
|
|
||||||
|
# Verbiete ARP Requests an alle
|
||||||
|
ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
||||||
|
|
||||||
|
# Erlaube alle anderen ARP's
|
||||||
|
ebtables -A MULTICAST_OUT -p ARP -j RETURN
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Erlaube PING
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
|
||||||
|
|
||||||
|
# Erlaube PINGv6
|
||||||
|
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
# No input from/to local node ip from batman
|
||||||
|
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||||
|
ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||||
|
|
||||||
|
# Do not forward local node ip
|
||||||
|
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||||
|
ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||||
|
|
||||||
|
# Do not output local node ip to batman
|
||||||
|
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||||
|
ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Erlaube router solicitation von client zu knoten
|
||||||
|
ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
||||||
|
|
||||||
|
# Erlaube router advertisment von knoten zu client
|
||||||
|
ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
Loading…
Reference in New Issue