Re: Request for comments: iptables script for use on laptops.

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Uwe Hermann a écrit :
> > > for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
> >
> > That's what does the Debian networking startup script when 
> > /etc/network/options (now deprecated) contains rp_filter=1.
>
> Yeah, but that's not an option for me.

Of course not. As I wrote, it's deprecated. It was just a remark.

> I want the script to be usable
> anywhere (i.e. it should not depend on the distribution, configuration,
> kernel version, as much as possible)...

This is a Debian list, so I assumed you targeted a Debian system...
If you look for generic iptables support, there is a Netfilter user list 
which has more traffic than this one.

[...]
> Hm, ok, I'll have to put more thought (and time) into this for further
> restricting ICMP. For now, I'll allow ESTABLISHED,RELATED, and
> an additional Parameter Problem.

You don't need extra processing for Parameter Problem. It's just another 
RELATED ICMP type.

> Later, I'll split out ICMP and handle that extra, I think.

Here's what I use :

iptables -N related_icmp
iptables -A related_icmp -p icmp --icmp-type destination-unreachable \
  -j ACCEPT
iptables -A related_icmp -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A related_icmp -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A related_icmp -j DROP

related_icmp is a user-defined chain called when a packet matches ICMP 
protocol and RELATED state.

[...]
> (IPv6 doesn't have NAT, right?)

AFAIK Linux has no NAT support for IPv6 yet.

> The intention is to block any IPv6 traffic (if there's IPv6 support in
> the kernel), otherwise do nothing as there's no IPv6, hence no such traffic
> is possible. Does that look reasonable and complete?

Well, no ip6tables does not mean no IPv6 support. IPv6 support is in the 
kernel, and ip6tables is just a part of the iptables package.

> An "rmmod ip6tables" etc. sounds nice, too, but that would
> only work if it's compiled as a module, so I think the above is better.

I guess you mean "rmmod ipv6" ? Well, it's not as nice as it sounds, 
because once loaded the ipv6 module cannot or at least should not be 
unloaded.

But it you want to disable IPv6 on an interface, I know a trick. IPv6 
minimum MTU is 1280. So, if you set an interface MTU to a value lower 
than 1280 before activating it, it won't be bound to IPv6. Then you can 
restore its default MTU.

> > If you want to be complete, you should also set the defaut policy of 
> > built-in chains in tables nat and mangle to ACCEPT, or unload these 
> > tables if built as modules (iptable_nat and iptable_mangle) and not 
> > needed at all.
>
> Will this suffice?
>
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
>
> $IPTABLES -t mangle -P PREROUTING ACCEPT
> $IPTABLES -t mangle -P INPUT ACCEPT
> $IPTABLES -t mangle -P FORWARD ACCEPT
> $IPTABLES -t mangle -P OUTPUT ACCEPT
> $IPTABLES -t mangle -P POSTROUTING ACCEPT
>
> $IPTABLES -t raw -P PREROUTING ACCEPT
> $IPTABLES -t raw -P OUTPUT ACCEPT

I guess so. Not sure about the raw table though, I don't use it.