From e7a7f269516bf0f35ff97df3f09415d3fe028ce0 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 11 Nov 2011 15:47:37 +0100 Subject: [PATCH 1/5] Patch to have compatibility with poor non-IPv6 server --- firewall.rc | 2 ++ minifirewall | 14 ++++++-------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/firewall.rc b/firewall.rc index d46e72d..e167d2b 100644 --- a/firewall.rc +++ b/firewall.rc @@ -6,6 +6,8 @@ # Interface concernee INT='eth0' +IPV6=on + # IP associee (plus utilisee dans les scripts) # INTIP='192.168.0.2' # reseau beneficiant d'acces privilegies diff --git a/minifirewall b/minifirewall index 6408661..d37a4b3 100755 --- a/minifirewall +++ b/minifirewall @@ -152,7 +152,7 @@ $IPT -N NEEDRESTRICT # On autorise tout sur l'interface loopback $IPT -A INPUT -i lo -j ACCEPT -$IPT6 -A INPUT -i lo -j ACCEPT +[ $IPV6 != 'off' ] && $IPT6 -A INPUT -i lo -j ACCEPT # if OUTPUTDROP #$IPT -A OUTPUT -o lo -j ACCEPT @@ -185,13 +185,13 @@ for x in $SERVICESUDP1p for x in $SERVICESTCP1 do $IPT -A INPUT -p tcp --dport $x -j ACCEPT - $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT + [ $IPV6 != 'off' ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT done for x in $SERVICESUDP1 do $IPT -A INPUT -p udp --dport $x -j ACCEPT - $IPT6 -A INPUT -p udp --dport $x -j ACCEPT + [ $IPV6 != 'off' ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT done # Services semi-publics @@ -282,13 +282,13 @@ for x in $NTPOK # ICMP $IPT -A INPUT -p icmp -j ACCEPT -$IPT6 -A INPUT -p icmpv6 -j ACCEPT +[ $IPV6 != 'off' ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT # politique # par defaut rien ne rentre $IPT -P INPUT DROP -$IPT6 -P INPUT DROP +[ $IPV6 != 'off' ] && $IPT6 -P INPUT DROP # par defaut rien ne transite (obsolete, notamment pour les VM) #echo 0 > /proc/sys/net/ipv4/ip_forward @@ -297,7 +297,7 @@ $IPT6 -P INPUT DROP # par defaut tout peut sortir (sinon voir OUTPUTDROP) $IPT -P OUTPUT ACCEPT -$IPT6 -P OUTPUT ACCEPT +[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT trap - INT TERM EXIT @@ -346,7 +346,6 @@ trap - INT TERM EXIT $IPT -t nat -L -n -v --line-numbers $IPT -t mangle -L -n -v --line-numbers $IPT6 -L -n -v --line-numbers - $IPT6 -t nat -L -n -v --line-numbers $IPT6 -t mangle -L -n -v --line-numbers ;; @@ -358,7 +357,6 @@ trap - INT TERM EXIT $IPT -t nat -Z $IPT -t mangle -Z $IPT6 -Z - $IPT6 -t nat -Z $IPT6 -t mangle -Z ;; From b5412ce98ae17424e3b5bb9a98204c362e6313a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 22 Aug 2012 16:21:28 +0200 Subject: [PATCH 2/5] Adding rules to block outgoing UDP trafic except for DNS and NTP. --- firewall.rc | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/firewall.rc b/firewall.rc index e167d2b..0c230b9 100644 --- a/firewall.rc +++ b/firewall.rc @@ -74,13 +74,22 @@ SMTPSECUREOK='' # NTP NTPOK='0.0.0.0/0' +################### IPv6 Specific rules +# /sbin/ip6tables ... -################### Specific rules -# /sbin/iptables .... -# /sbin/iptables .... -# /sbin/iptables .... +# allow HTTP/HTTPS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -# allow HTTP/HTTPS IPv6 traffic -/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +# Drop outgoing UDP traffic but not for DNS and NTP +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP +################### IPv4 Specific rules +# /sbin/iptables ... + +# Drop outgoing UDP traffic but not for DNS and NTP +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP From 44bb5925ebcefa9d820c0d285ab01f5a6fe57b6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 3 Oct 2012 14:21:04 +0200 Subject: [PATCH 3/5] Amelioration added for blocking output UDP. --- firewall.rc | 16 +++++++--------- minifirewall | 6 ++++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/firewall.rc b/firewall.rc index 0c230b9..d349e75 100644 --- a/firewall.rc +++ b/firewall.rc @@ -77,19 +77,17 @@ NTPOK='0.0.0.0/0' ################### IPv6 Specific rules # /sbin/ip6tables ... -# allow HTTP/HTTPS traffic +# Allow HTTP/HTTPS traffic /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -# Drop outgoing UDP traffic but not for DNS and NTP -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP +# Allow DNS and NTP traffic +/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT ################### IPv4 Specific rules # /sbin/iptables ... -# Drop outgoing UDP traffic but not for DNS and NTP -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP +# Allow DNS and NTP +/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT \ No newline at end of file diff --git a/minifirewall b/minifirewall index d37a4b3..4363658 100755 --- a/minifirewall +++ b/minifirewall @@ -75,7 +75,7 @@ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignorer les mauvais messages d'erreurs ICMP echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -# effacer la source des paquets routés +# effacer la source des paquets routes for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done @@ -295,9 +295,11 @@ $IPT -P INPUT DROP #$IPT -P FORWARD DROP #$IPT6 -P FORWARD DROP -# par defaut tout peut sortir (sinon voir OUTPUTDROP) +# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP) $IPT -P OUTPUT ACCEPT [ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT +$IPT -A OUTPUT -p udp -j DROP +[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP trap - INT TERM EXIT From b57dddf91707b3fcec65146bb2865aaf05212bcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Mon, 8 Oct 2012 16:19:22 +0200 Subject: [PATCH 4/5] By default allow outgoing packets on loopback. This is needed since the new policy of dropping all outgoing UDP packets, especially when there is a local bind. --- minifirewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall b/minifirewall index 4363658..4420080 100755 --- a/minifirewall +++ b/minifirewall @@ -154,7 +154,7 @@ $IPT -N NEEDRESTRICT $IPT -A INPUT -i lo -j ACCEPT [ $IPV6 != 'off' ] && $IPT6 -A INPUT -i lo -j ACCEPT # if OUTPUTDROP -#$IPT -A OUTPUT -o lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT # on evite pas mal de paquets "martiens" effet de bord de virus # notamment W32/Blaster qui attaquait windowsupdate.com From 7795b715e6e138d90fdbd1ff5835af5f6ef770b5 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Wed, 24 Oct 2012 10:32:05 +0200 Subject: [PATCH 5/5] Add rules to open traceroute UDP port. --- firewall.rc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/firewall.rc b/firewall.rc index d349e75..49cde30 100644 --- a/firewall.rc +++ b/firewall.rc @@ -81,13 +81,15 @@ NTPOK='0.0.0.0/0' /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -# Allow DNS and NTP traffic +# Allow DNS, NTP and traceroute traffic /sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT ################### IPv4 Specific rules # /sbin/iptables ... -# Allow DNS and NTP +# Allow DNS, NTP and traceroute traffic /sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT -/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT \ No newline at end of file +/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT +/sbin/iptables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT