Re: Request for comments: iptables script for use on laptops.
Uwe Hermann a écrit :
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
That's what does the Debian networking startup script when
/etc/network/options (now deprecated) contains rp_filter=1.
Yeah, but that's not an option for me.
Of course not. As I wrote, it's deprecated. It was just a remark.
I want the script to be usable
anywhere (i.e. it should not depend on the distribution, configuration,
kernel version, as much as possible)...
This is a Debian list, so I assumed you targeted a Debian system...
If you look for generic iptables support, there is a Netfilter user list
which has more traffic than this one.
[...]
Hm, ok, I'll have to put more thought (and time) into this for further
restricting ICMP. For now, I'll allow ESTABLISHED,RELATED, and
an additional Parameter Problem.
You don't need extra processing for Parameter Problem. It's just another
RELATED ICMP type.
Later, I'll split out ICMP and handle that extra, I think.
Here's what I use :
iptables -N related_icmp
iptables -A related_icmp -p icmp --icmp-type destination-unreachable \
-j ACCEPT
iptables -A related_icmp -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A related_icmp -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A related_icmp -j DROP
related_icmp is a user-defined chain called when a packet matches ICMP
protocol and RELATED state.
[...]
(IPv6 doesn't have NAT, right?)
AFAIK Linux has no NAT support for IPv6 yet.
The intention is to block any IPv6 traffic (if there's IPv6 support in
the kernel), otherwise do nothing as there's no IPv6, hence no such traffic
is possible. Does that look reasonable and complete?
Well, no ip6tables does not mean no IPv6 support. IPv6 support is in the
kernel, and ip6tables is just a part of the iptables package.
An "rmmod ip6tables" etc. sounds nice, too, but that would
only work if it's compiled as a module, so I think the above is better.
I guess you mean "rmmod ipv6" ? Well, it's not as nice as it sounds,
because once loaded the ipv6 module cannot or at least should not be
unloaded.
But it you want to disable IPv6 on an interface, I know a trick. IPv6
minimum MTU is 1280. So, if you set an interface MTU to a value lower
than 1280 before activating it, it won't be bound to IPv6. Then you can
restore its default MTU.
If you want to be complete, you should also set the defaut policy of
built-in chains in tables nat and mangle to ACCEPT, or unload these
tables if built as modules (iptable_nat and iptable_mangle) and not
needed at all.
Will this suffice?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t raw -P PREROUTING ACCEPT
$IPTABLES -t raw -P OUTPUT ACCEPT
I guess so. Not sure about the raw table though, I don't use it.
Reply to: