Re: arno-iptable-firewall: bugfix backport or new upstream service release for squeeze?
Hi Mehdi,
On Fri, Aug 27, 2010 at 05:46:47PM +0200, Mehdi Dogguy wrote:
> In general, a backported bugfix is preferred. However, a diff between
> the two versions would help us to decide on whether it is worth
> including the new release. Could you please provide such a diff?
The diff of the current version in testing and the latest upstream
version is attached. For the sake of clarity I stripped all hunks that
only had changes in comments or indentation.
I'd like to reiterate that this diff contains more bugfixes than what
the BTS currently has patches for.
Thanks,
Michael
--
GPG key: 1024D/3144BE0F Michael Hanke
http://mih.voxindeserto.de
diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
index 04fb045..65d1d58 100755
--- a/bin/arno-iptables-firewall
+++ b/bin/arno-iptables-firewall
@@ -421,7 +421,7 @@ setup_kernel_settings()
# Disable ICMP send_redirect
############################
- sysctl -w net.ipv4.conf.all.send_redirects=0
+ sysctl_set_all "net.ipv4.conf" "send_redirects" 0
# Don't accept source routed packets.
# Attackers can use source routing to generate
@@ -431,10 +431,10 @@ setup_kernel_settings()
###################################################################################
if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then
echo " DISABLING protection against source routed packets"
- sysctl -w net.ipv4.conf.all.accept_source_route=1
+ sysctl_set_all "net.ipv4.conf" "accept_source_route" 1
else
echo " Enabling protection against source routed packets"
- sysctl -w net.ipv4.conf.all.accept_source_route=0
+ sysctl_set_all "net.ipv4.conf" "accept_source_route" 0
fi
# ICMP Broadcasting protection (smurf amplifier protection)
@@ -511,20 +511,19 @@ setup_kernel_settings()
######################################################################
if [ "$RP_FILTER" = "1" ]; then
echo " Enabling anti-spoof with rp_filter"
- sysctl -w net.ipv4.conf.all.rp_filter=1
+ sysctl_set_all "net.ipv4.conf" "rp_filter" 1
else
echo " Disabling anti-spoof with rp_filter"
- sysctl -w net.ipv4.conf.all.rp_filter=0
+ sysctl_set_all "net.ipv4.conf" "rp_filter" 0
fi
-
# Block ALL ICMP echo requests?
###############################
if [ "$ECHO_IGNORE" = "1" ]; then
echo " Blocking all ICMP echo-requests"
- sysctl -w net.ipv4.icmp_echo_ignore_all=1
+ sysctl_set_all "net.ipv4" "icmp_echo_ignore_all" 1
else
- sysctl -w net.ipv4.icmp_echo_ignore_all=0
+ sysctl_set_all "net.ipv4" "icmp_echo_ignore_all" 0
fi
# Add synflood protection?
@@ -541,20 +540,20 @@ setup_kernel_settings()
###############
if [ "$LOG_MARTIANS" = "1" ]; then
echo " Enabling the logging of martians"
- sysctl -w net.ipv4.conf.all.log_martians=1
+ sysctl_set_all "net.ipv4.conf" "log_martians" 1
else
echo " Disabling the logging of martians"
- sysctl -w net.ipv4.conf.all.log_martians=0
+ sysctl_set_all "net.ipv4.conf" "log_martians" 0
fi
# Accept ICMP redirect messages?
################################
if [ "$ICMP_REDIRECT" = "1" ]; then
echo " Enabling the acception of ICMP-redirect messages"
- sysctl -w net.ipv4.conf.all.accept_redirects=1
+ sysctl_set_all "net.ipv4.conf" "accept_redirects" 1
else
echo " Disabling the acception of ICMP-redirect messages"
- sysctl -w net.ipv4.conf.all.accept_redirects=0
+ sysctl_set_all "net.ipv4.conf" "accept_redirects" 0
fi
# Time To Live (TTL) is the term for a data field in the internet protocol.
@@ -614,7 +613,7 @@ setup_kernel_settings()
# Disable ICMP send_redirect
############################
- sysctl -w net.ipv6.conf.all.send_redirects=0
+ sysctl_set_all "net.ipv6.conf" "send_redirects" 0
# Don't accept source routed packets.
# Attackers can use source routing to generate
@@ -624,28 +623,28 @@ setup_kernel_settings()
###################################################################################
if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then
echo " DISABLING protection against source routed packets"
- sysctl -w net.ipv6.conf.all.accept_source_route=1
+ sysctl_set_all "net.ipv6.conf" "accept_source_route" 1
else
echo " Enabling protection against source routed packets"
- sysctl -w net.ipv6.conf.all.accept_source_route=0
+ sysctl_set_all "net.ipv6.conf" "accept_source_route" 0
fi
# Accept ICMP redirect messages?
################################
if [ "$ICMP_REDIRECT" = "1" ]; then
echo " Enabling the acception of ICMP-redirect messages"
- sysctl -w net.ipv6.conf.all.accept_redirects=1
+ sysctl_set_all "net.ipv6.conf" "accept_redirects" 1
else
echo " Disabling the acception of ICMP-redirect messages"
- sysctl -w net.ipv6.conf.all.accept_redirects=0
+ sysctl_set_all "net.ipv6.conf" "accept_redirects" 0
fi
- # IP forwarding (need it to perform for example NAT)
- ####################################################
+ # Enable IP forwarding?
+ #######################
if [ "$IP_FORWARDING" != "0" ]; then
- sysctl -w -e net.ipv6.conf.all.forwarding=1
+ sysctl_set_all "net.ipv6.conf" "forwarding" 1
else
- sysctl -w -e net.ipv6.conf.all.forwarding=0 2>/dev/null
+ sysctl_set_all "net.ipv6.conf" "forwarding" 0 2>/dev/null
fi
echo " Flushing route table"
@@ -980,35 +979,43 @@ setup_reserved_net_chk_chain()
setup_spoof_chk_chain()
{
# Anti-spoof protection for the internal net
- if [ -n "$INT_IF" ]; then
- printf "Setting up (antispoof) INTERNAL net(s): "
- IFS=' ,'
- for net in $INTERNAL_NET; do
- printf "$net "
- for interface in $INT_IF; do
- # Any internal net is valid
- iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
+ if [ -n "$INT_IF" ] && [ -n "$INTERNAL_NET" ]; then
+ if [ "$INTERNAL_NET_ANTISPOOF" != "0" ]; then
+ printf "Setting up antispoof for INTERNAL net(s): "
+ IFS=' ,'
+ for net in $INTERNAL_NET; do
+ printf "$net "
+ for interface in $INT_IF; do
+ # Any internal net is valid
+ iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
+ done
+ iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
+ iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
done
- iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
- iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
- done
- echo ""
+ echo ""
+ else
+ echo "Antispoof for INTERNAL net(s) DISABLED!"
+ fi
fi
# Anti-spoof protection for the DMZ net
- if [ -n "$DMZ_IF" ]; then
- printf "Setting up (antispoof) DMZ net(s): "
- IFS=' ,'
- for net in $DMZ_NET; do
- printf "$net "
- for interface in $DMZ_IF; do
- # Any dmz net is valid
- iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
+ if [ -n "$DMZ_IF" ] && [ -n "$DMZ_NET" ]; then
+ if [ "$DMZ_NET_ANTISPOOF" != "0" ]; then
+ printf "Setting up antispoof for DMZ net(s): "
+ IFS=' ,'
+ for net in $DMZ_NET; do
+ printf "$net "
+ for interface in $DMZ_IF; do
+ # Any dmz net is valid
+ iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
+ done
+ iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
+ iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
done
- iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
- iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
- done
- echo ""
+ echo ""
+ else
+ echo "Antispoof for DMZ net(s) DISABLED!"
+ fi
fi
# Everything else is valid
@@ -1076,7 +1083,7 @@ setup_dmz_input_chain()
#######################################
if [ -n "$DMZ_OPEN_TCP" ]; then
echo " Allowing TCP port(s): $DMZ_OPEN_TCP"
- unset IFS
+ IFS=' ,'
for port in $DMZ_OPEN_TCP; do
iptables -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
done
@@ -1086,7 +1093,7 @@ setup_dmz_input_chain()
#######################################
if [ -n "$DMZ_OPEN_UDP" ]; then
echo " Allowing UDP port(s): $DMZ_OPEN_UDP"
- unset IFS
+ IFS=' ,'
for port in $DMZ_OPEN_UDP; do
iptables -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT
done
@@ -1096,7 +1103,7 @@ setup_dmz_input_chain()
##########################################
if [ -n "$DMZ_OPEN_IP" ]; then
echo " Allowing IP protocol(s): $DMZ_OPEN_IP"
- unset IFS
+ IFS=' ,'
for proto in $DMZ_OPEN_IP; do
iptables -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT
done
@@ -2061,7 +2068,7 @@ setup_int_input_chain()
#######################################################
if [ -n "$LAN_OPEN_TCP" ]; then
echo " Allowing TCP port(s): $LAN_OPEN_TCP"
- unset IFS
+ IFS=' ,'
for port in $LAN_OPEN_TCP; do
iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
done
@@ -2071,7 +2078,7 @@ setup_int_input_chain()
#######################################################
if [ -n "$LAN_OPEN_UDP" ]; then
echo " Allowing UDP port(s): $LAN_OPEN_UDP"
- unset IFS
+ IFS=' ,'
for port in $LAN_OPEN_UDP; do
iptables -A INT_INPUT_CHAIN -p udp --dport $port -j ACCEPT
done
@@ -2081,7 +2088,7 @@ setup_int_input_chain()
##########################################################
if [ -n "$LAN_OPEN_IP" ]; then
echo " Allowing IP protocol(s): $LAN_OPEN_IP"
- unset IFS
+ IFS=' ,'
for proto in $LAN_OPEN_IP; do
iptables -A INT_INPUT_CHAIN -p $proto -j ACCEPT
done
@@ -2098,7 +2105,7 @@ setup_int_input_chain()
#################################
if [ -n "$LAN_DENY_TCP" ]; then
echo " Denying TCP port(s): $LAN_DENY_TCP"
- unset IFS
+ IFS=' ,'
for port in $LAN_DENY_TCP; do
if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
iptables -A INT_INPUT_CHAIN -p tcp --dport $port -m limit \
@@ -2112,7 +2119,7 @@ setup_int_input_chain()
#################################
if [ -n "$LAN_DENY_UDP" ]; then
echo " Denying UDP port(s): $LAN_DENY_UDP"
- unset IFS
+ IFS=' ,'
for port in $LAN_DENY_UDP; do
if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
iptables -A INT_INPUT_CHAIN -p udp --dport $port -m limit \
@@ -2126,7 +2133,7 @@ setup_int_input_chain()
####################################
if [ -n "$LAN_DENY_IP" ]; then
echo " Denying IP protocol(s): $LAN_DENY_IP"
- unset IFS
+ IFS=' ,'
for proto in $LAN_DENY_IP; do
if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
iptables -A INT_INPUT_CHAIN -p $proto -m limit \
@@ -2510,8 +2517,6 @@ setup_lan_inet_forward_chain()
######################################################################################################################
setup_ext_input_chain()
{
- echo "Setting up external(INET) INPUT policy"
-
## Log scanning of port 0 fingerprinting
########################################
if [ "$SCAN_LOG" != "0" ]; then
@@ -2548,12 +2553,11 @@ setup_ext_input_chain()
iptables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
fi
-
# Here we add support for a DHCP/BootP service on the EXTERNAL interface
########################################################################
if [ "$EXTERNAL_DHCP_SERVER" = "1" ]; then
echo " Enabling support for DHCP/BOOTP (DHCP server) for subnet(s): $EXTERNAL_NET"
- unset IFS
+ IFS=' ,'
for net in $EXTERNAL_NET; do
# Allow this host to be a DHCP/BOOTP-server:
iptables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --dport 67 -j ACCEPT
@@ -2570,7 +2574,7 @@ setup_ext_input_chain()
###################################################################
if [ "$NMB_BROADCAST_FIX" = "1" ]; then
echo " Enabling support for NMB-broadcasts(Samba) for subnet(s): $EXTERNAL_NET"
- unset IFS
+ IFS=' ,'
for net in $EXTERNAL_NET; do
iptables -A EXT_INPUT_CHAIN -s $net -p udp --sport 137 --dport "$LOCAL_PORT_RANGE" -j ACCEPT
done
@@ -3326,130 +3330,92 @@ setup_ext_input_chain()
###########################
iptables -A EXT_INPUT_CHAIN -p tcp ! --syn -j POST_INPUT_DROP_CHAIN
- # Check whether IPv4 or IPv6 is used
+ # Setup IPv4 chain to handle broadcast traffic
if [ "$IPV6_SUPPORT" != "1" ]; then
- # Disable logging of certain TCP broadcasts on the external interface
- #####################################################################
- unset IFS
- for rule in $BROADCAST_TCP_NOLOG; do
- interfaces=`get_ifs "$rule"`
- destips=`get_ips "$rule"`
- ports=`get_ports_ip "$rule"`
-
- echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for TCP port(s): $ports"
+ iptables -A EXT_INPUT_CHAIN -d 255.255.255.255 -j EXT_BROADCAST_CHAIN
+ iptables -A EXT_INPUT_CHAIN -d 224.0.0.0/24 -j EXT_BROADCAST_CHAIN
+ #iptables -A EXT_INPUT_CHAIN -m pkttype --pkt-type broadcast -j EXT_BROADCAST_CHAIN
+ #iptables -A EXT_INPUT_CHAIN -m addrtype --dst-type BROADCAST -j EXT_BROADCAST_CHAIN
+ if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then
IFS=' ,'
- for port in $ports; do
- for interface in $interfaces; do
- iptables -A EXT_INPUT_CHAIN -i $interface -d 255.255.255.255 -p tcp --dport $port -j DROP
- iptables -A EXT_INPUT_CHAIN -i $interface -d 224.0.0.0/24 -p tcp --dport $port -j DROP
-
- #iptables -A EXT_INPUT_CHAIN -i $interface -p tcp --dport $port -m pkttype --pkt-type broadcast -j DROP
- #iptables -A EXT_INPUT_CHAIN -i $interface -p tcp --dport $port -m addrtype --dst-type BROADCAST -j DROP
- if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then
- for address in $EXT_NET_BCAST_ADDRESS; do
- iptables -A EXT_INPUT_CHAIN -i $interface -d $address -p tcp --dport $port -j DROP
- done
- else
- for net in $EXTERNAL_NET; do
- # Class C net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1"."$2"."$3".255" }') \
- -p tcp --dport $port -j DROP
-
- # Class B net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1"."$2".255.255" }') \
- -p tcp --dport $port -j DROP
-
- # Class A net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1".255.255.255" }') \
- -p tcp --dport $port -j DROP
- done
- fi
- done
+ for address in $EXT_NET_BCAST_ADDRESS; do
+ iptables -A EXT_INPUT_CHAIN -d $address -j EXT_BROADCAST_CHAIN
done
- done
-
- # Disable logging of certain UDP broadcasts on the external interface
- ##########################################################################################
- unset IFS
- for rule in $BROADCAST_UDP_NOLOG; do
- interfaces=`get_ifs "$rule"`
- destips=`get_ips "$rule"`
- ports=`get_ports_ip "$rule"`
-
- echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for UDP port(s): $ports"
-
+ else
IFS=' ,'
- for port in $ports; do
- for interface in $interfaces; do
- iptables -A EXT_INPUT_CHAIN -i $interface -d 255.255.255.255 -p udp --dport $port -j DROP
- iptables -A EXT_INPUT_CHAIN -i $interface -d 224.0.0.0/24 -p udp --dport $port -j DROP
-
- #iptables -A EXT_INPUT_CHAIN -i $interface -p udp --dport $port -m pkttype --pkt-type broadcast -j DROP
- #iptables -A EXT_INPUT_CHAIN -i $interface -p udp --dport $port -m addrtype --dst-type BROADCAST -j DROP
- if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then
- for address in $EXT_NET_BCAST_ADDRESS; do
- iptables -A EXT_INPUT_CHAIN -i $interface -d $address -p udp --dport $port -j DROP
- done
- else
- for net in $EXTERNAL_NET; do
- # Class C net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1"."$2"."$3".255" }') \
- -p udp --dport $port -j DROP
-
- # Class B net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1"."$2".255.255" }') \
- -p udp --dport $port -j DROP
-
- # Class A net
- iptables -A EXT_INPUT_CHAIN -i $interface -d $(echo $net |awk -F. '{ print $1".255.255.255" }') \
- -p udp --dport $port -j DROP
- done
- fi
- done
+ for net in $EXTERNAL_NET; do
+ # Class C net
+ iptables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1"."$2"."$3".255" }') \
+ -j EXT_BROADCAST_CHAIN
+
+ # Class B net
+ iptables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1"."$2".255.255" }') \
+ -j EXT_BROADCAST_CHAIN
+
+ # Class A net
+ iptables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1".255.255.255" }') \
+ -j EXT_BROADCAST_CHAIN
done
- done
+ fi
fi
-
-
- # Log connection attempts to privileged TCP ports?
+
+ # Log packets to privileged TCP ports?
##################################################
if [ "$PRIV_TCP_LOG" != "0" ]; then
- echo " Logging of (other) connection attempts to PRIVILEGED TCP ports enabled"
+ echo " Logging of (other) packets to PRIVILEGED TCP ports enabled"
iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 \
- -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV connect attempt: "
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP packet: "
+ iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 \
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP broadcast: "
else
- echo " Logging of (other) connection attempts to PRIVILEGED TCP ports disabled"
+ echo " Logging of (other) packets to PRIVILEGED TCP ports disabled"
fi
- # Log connection attempts to privileged UDP ports?
+ # Log packets to privileged UDP ports?
##################################################
if [ "$PRIV_UDP_LOG" != "0" ]; then
- echo " Logging of (other) connection attempts to PRIVILEGED UDP ports enabled"
+ echo " Logging of (other) packets to PRIVILEGED UDP ports enabled"
iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 \
- -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV connect attempt: "
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP packet: "
+ iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 \
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP broadcast: "
else
- echo " Logging of (other) connection attempts to PRIVILEGED UDP ports disabled"
+ echo " Logging of (other) packets to PRIVILEGED UDP ports disabled"
fi
- # Log connection attempts to unprivileged TCP ports?
+ # Log packets to unprivileged TCP ports?
####################################################
if [ "$UNPRIV_TCP_LOG" != "0" ]; then
- echo " Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled"
+ echo " Logging of (other) packets to UNPRIVILEGED TCP ports enabled"
iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: \
- -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV connect attempt: "
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP packet: "
+ iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: \
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP broadcast: "
else
- echo " Logging of (other) connection attempts to UNPRIVILEGED TCP ports disabled"
+ echo " Logging of (other) packets to UNPRIVILEGED TCP ports disabled"
fi
- # Log connection attempts to unprivileged UDP ports?
+ # Log packets to unprivileged UDP ports?
####################################################
if [ "$UNPRIV_UDP_LOG" != "0" ]; then
- echo " Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled"
+ echo " Logging of (other) packets to UNPRIVILEGED UDP ports enabled"
iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: \
- -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV connect attempt: "
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP packet: "
+ iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 \
+ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP broadcast: "
+ else
+ echo "Logging of (other) packets to UNPRIVILEGED UDP ports disabled"
+ fi
+
+ # Do we want to log igmp packets?
+ #############################################
+ if [ "$IGMP_LOG" != "0" -a -n "$IGMP_PROTO" ]; then
+ echo " Logging of IGMP packets enabled"
+ iptables -A EXT_INPUT_CHAIN -p $IGMP_PROTO \
+ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IGMP packet: "
else
- echo "Logging of (other) connection attempts to UNPRIVILEGED UDP ports disabled"
+ echo " Logging of IGMP packets disabled"
fi
# Allow all packets that have been locally redirected
@@ -3459,6 +3425,9 @@ setup_ext_input_chain()
iptables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT
fi
+ # Finally drop all in the broadcast chain
+ iptables -A EXT_BROADCAST_CHAIN -j DROP
+
# Jump into the POST_INPUT_CHAIN before we start to DROP
iptables -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
@@ -3466,16 +3435,19 @@ setup_ext_input_chain()
##################################
iptables -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
iptables -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
+ if [ -n "$IGMP_PROTO" ]; then
+ iptables -A EXT_INPUT_CHAIN -p $IGMP_PROTO -j POST_INPUT_DROP_CHAIN
+ fi
iptables -A EXT_INPUT_CHAIN -p $ICMP_PROTO -j POST_INPUT_DROP_CHAIN
# Do we want to log non udp/tcp/icmp packets?
#############################################
if [ "$OTHER_IP_LOG" != "0" ]; then
- echo " Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled"
+ echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled"
iptables -A EXT_INPUT_CHAIN \
- -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Connect attempt: "
+ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Other connect: "
else
- echo " Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts disabled"
+ echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled"
fi
# Drop all remaining packets
@@ -3541,8 +3513,6 @@ setup_ext_icmp_flood_chain()
######################################################################################################################
setup_ext_output_chain()
{
- echo "Setting up external(INET) OUTPUT policy"
-
# This rule is for hostwise OUTPUT TCP blocking
###############################################
unset IFS
@@ -3718,6 +3688,47 @@ setup_ext_output_chain()
}
+# Helper chain to catch broadcast traffic
+setup_ext_broadcast_chain()
+{
+ # Disable logging of certain TCP broadcasts on the external interface
+ #####################################################################
+ unset IFS
+ for rule in $BROADCAST_TCP_NOLOG; do
+ interfaces=`get_ifs "$rule"`
+ destips=`get_ips "$rule"`
+ ports=`get_ports_ip "$rule"`
+
+ echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for TCP port(s): $ports"
+
+ IFS=' ,'
+ for port in $ports; do
+ for interface in $interfaces; do
+ iptables -A EXT_BROADCAST_CHAIN -i $interface -p tcp --dport $port -j DROP
+ done
+ done
+ done
+
+ # Disable logging of certain UDP broadcasts on the external interface
+ ##########################################################################################
+ unset IFS
+ for rule in $BROADCAST_UDP_NOLOG; do
+ interfaces=`get_ifs "$rule"`
+ destips=`get_ips "$rule"`
+ ports=`get_ports_ip "$rule"`
+
+ echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for UDP port(s): $ports"
+
+ IFS=' ,'
+ for port in $ports; do
+ for interface in $interfaces; do
+ iptables -A EXT_BROADCAST_CHAIN -i $interface -p udp --dport $port -j DROP
+ done
+ done
+ done
+}
+
+
# This creates the input logging rules
##########################################################
setup_input_log()
@@ -4071,6 +4082,12 @@ setup_hostblock_chain()
return
fi
+ if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
+ echo "Blocking (blackhole) direction: Inbound and Outbound"
+ else
+ echo "Blocking (blackhole) direction: Inbound Only"
+ fi
+
# Set default to DROP all while rules are added
iptables -A HOST_BLOCK_SRC -j DROP
iptables -A HOST_BLOCK_DST -j DROP
@@ -4088,7 +4105,9 @@ setup_hostblock_chain()
for host in `ip_range "$hosts"`; do
iptables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP
- iptables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP
+ if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
+ iptables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP
+ fi
done
done
echo ""
@@ -4106,7 +4125,7 @@ setup_hostblock_chain()
# Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file
unset IFS
- cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' | while read hosts; do
+ cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' |while read hosts; do
cur_cnt=$(($cur_cnt + 100))
progress_bar $cur_cnt $total_cnt
@@ -4114,7 +4133,9 @@ setup_hostblock_chain()
IFS=','
for host in `ip_range "$hosts"`; do
iptables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP
- iptables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP
+ if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
+ iptables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP
+ fi
done
unset IFS
fi
@@ -4328,12 +4349,13 @@ plugins_status()
{
# Load/insert user plugins
if [ -e "$PLUGIN_LOAD_FILE" ]; then
- printf "\nShowing status of (user) plugins...\n"
+ printf "\nShowing status of (user) plugins:\n"
+ echo "---------------------------------"
IFS=$EOL
for plugin in `cat "$PLUGIN_LOAD_FILE"`; do
# Only issue the status command for plugins that support the PLUGIN_CMD-variable:
- if grep -q "^plugin_status\(\)" $plugin; then
+ if grep -q "^plugin_status\(\)" "$plugin"; then
# Preset ENABLED=0 to make sure the plugin only
# gets loaded if the config has an explicit ENABLED=1:
ENABLED=0
@@ -4341,7 +4363,9 @@ plugins_status()
PLUGIN_CMD=status
# Source the plugin:
+ printf "=>"
. "$plugin"
+ echo ""
fi
done
fi
@@ -4366,16 +4390,14 @@ setup_firewall_rules()
ip4tables -P OUTPUT DROP
else
# IPv6 support available on the system?
- if sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
- if [ -x "$IP6TABLES" ]; then
- echo "NOTE: IPv4 support enabled, setting default policy for IPv6 to DROP"
- ip6tables -P INPUT DROP
- ip6tables -P FORWARD DROP
- ip6tables -P OUTPUT DROP
- else
- printf "\033[40m\033[1;31mWARNING: IPv4 support enabled, but unable to set the default policy\033[0m\n" >&2
- printf "\033[40m\033[1;31m for IPv6 to DROP as the ip6tables-binary is not available!\033[0m\n" >&2
- fi
+ if [ -x "$IP6TABLES" ]; then
+ echo "NOTE: IPv4 support enabled, setting default policy for IPv6 to DROP"
+ ip6tables -P INPUT DROP
+ ip6tables -P FORWARD DROP
+ ip6tables -P OUTPUT DROP
+ elif sysctl -a 2>/dev/null |grep -q "^net.ipv6.conf"; then
+ printf "\033[40m\033[1;31mWARNING: IPv4 support enabled, but unable to set the default policy\033[0m\n" >&2
+ printf "\033[40m\033[1;31m for IPv6 to DROP as the ip6tables-binary is not available!\033[0m\n" >&2
fi
fi
@@ -4445,9 +4467,14 @@ setup_firewall_rules()
iptables -A OUTPUT -f -j DROP
fi
- # Setup helper chains for EXTERNAL traffic:
- setup_ext_input_chain;
+ # Setup helper chains for EXTERNAL input traffic:
+ echo "Setting up external(INET) INPUT policy"
+ setup_ext_broadcast_chain;
setup_ext_icmp_flood_chain;
+ setup_ext_input_chain;
+
+ # Setup helper chains for EXTERNAL output traffic:
+ echo "Setting up external(INET) OUTPUT policy"
setup_ext_output_chain;
# This is used for your external (untrusted) interfaces
@@ -4726,8 +4753,9 @@ setup_firewall_rules()
printf "$net "
for interface in $EXT_IF; do
- # the "! -d $net" is to avoid problems with Freeswan etc.
- iptables -t nat -A POSTROUTING -o $interface -s $net ! -d $net -j MASQUERADE
+ # NOTE 1: The "! -d $net" is to avoid problems with Freeswan etc.
+ # NOTE 2: The "! --proto 41" is prevent IPv6 from being masqueraded
+ iptables -t nat -A POSTROUTING ! --proto 41 -o $interface -s $net ! -d $net -j MASQUERADE
done
done
echo ""
@@ -4905,6 +4933,7 @@ create_user_chains()
iptables -N LAN_INET_FORWARD_CHAIN
# Chains for the external interface
+ iptables -N EXT_BROADCAST_CHAIN
iptables -N EXT_ICMP_FLOOD_CHAIN
iptables -N EXT_INPUT_CHAIN
iptables -N EXT_FORWARD_IN_CHAIN
@@ -4954,6 +4983,7 @@ flush_user_chains()
iptables -F LAN_INET_FORWARD_CHAIN
# Chains for the external interface
+ iptables -F EXT_BROADCAST_CHAIN
iptables -F EXT_ICMP_FLOOD_CHAIN
iptables -F EXT_INPUT_CHAIN
iptables -F EXT_FORWARD_IN_CHAIN
@@ -5081,13 +5111,13 @@ show_status()
if [ "$MANGLE_TOS" = "1" ]; then
iptables -t mangle -nvL
fi
+
+ # Show plugin status
+ plugins_status;
else
#iptables -nvL $2 $3 $4 $5
iptables -xnvL $@
fi
-
- # Show plugin status
- plugins_status;
}
diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
index 330abdb..c238fd2 100644
--- a/etc/arno-iptables-firewall/firewall.conf
+++ b/etc/arno-iptables-firewall/firewall.conf
@@ -86,6 +86,11 @@ INT_IF=""
# -----------------------------------------------------------------------------
#INTERNAL_NET="192.168.0.0/24"
+# Set this variable to 0 to disable antispoof checking for the internal nets
+# (EXPERT SETTING!)
+# -----------------------------------------------------------------------------
+INTERNAL_NET_ANTISPOOF=1
+
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
@@ -112,6 +117,10 @@ DMZ_IF=""
# -----------------------------------------------------------------------------
DMZ_NET=""
+# Set this variable to 0 to disable antispoof checking for the dmz nets
+# (EXPERT SETTING!)
+# -----------------------------------------------------------------------------
+DMZ_NET_ANTISPOOF=1
###############################################################################
# NAT (Masquerade, SNAT, DNAT) settings #
@@ -407,8 +416,12 @@ UNPRIV_TCP_LOG=1
# -----------------------------------------------------------------------------
UNPRIV_UDP_LOG=1
+# Enable logging of IGMP packets
+# -----------------------------------------------------------------------------
+IGMP_LOG=1
+
# Enable logging of normal connection attempts to "other-IP"-protocols (non
-# TCP/UDP/ICMP).
+# TCP/UDP/ICMP/IGMP).
# -----------------------------------------------------------------------------
OTHER_IP_LOG=1
@@ -1105,6 +1118,11 @@ REJECT_UDP_NOLOG=""
# -----------------------------------------------------------------------------
BLOCK_HOSTS=""
+# Blocked Hosts are by default blocked in both Inbound and Outbound directions.
+# If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
+# -----------------------------------------------------------------------------
+BLOCK_HOSTS_BIDIRECTIONAL=1
+
# Uncomment & specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
index a225bce..4445ce8 100644
--- a/share/arno-iptables-firewall/environment
+++ b/share/arno-iptables-firewall/environment
@@ -68,7 +68,7 @@ check_command()
{
local path
- IFS=' '
+ local IFS=' '
for cmd in $*; do
case "$cmd" in
/*) path="" ;;
@@ -170,7 +170,7 @@ lc()
note_iptables_error()
{
- unset IFS
+ local IFS=' '
for arg in $*; do
if [ "$arg" = "-A" ] || [ "$arg" = "-I" ]; then
return 0
@@ -283,7 +283,7 @@ modprobe()
retval=$?
if [ "$retval" != "0" ]; then
- if ! echo "$result" |grep -q -e '^FATAL: Module .* not found'; then
+ if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module"; then
# Show any (error) messages in red
printf "\033[40m\033[1;31m${MODPROBE} $@: ($retval) $result\033[0m\n" >&2
elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then
@@ -330,7 +330,7 @@ modprobe_multi()
local retval
local result
- IFS=' '
+ local IFS=' '
for module in $MODULES; do
local modprobe_commandline="$MODPROBE"
if [ -n "$OPTIONS" ]; then
@@ -342,7 +342,7 @@ modprobe_multi()
retval=$?
if [ "$retval" != "0" ]; then
- if ! echo "$result" |grep -q -e '^FATAL: Module .* not found'; then
+ if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module"; then
# Show any (error) messages in red
printf "\033[40m\033[1;31m${modprobe_commandline}: ($retval) $result\033[0m\n" >&2
fi
@@ -388,10 +388,14 @@ sysctl()
if [ "$retval" != "0" ]; then
# Show any (error) messages in red
- printf "\033[40m\033[1;31msysctl $@: ($retval) $result\033[0m\n" >&2
+ printf "\033[40m\033[1;31m$SYSCTL $@: ($retval) $result\033[0m\n" >&2
return $retval
fi
- echo "${INDENT}sysctl $@"
+
+ if [ -n "$result" ]; then
+ echo "${INDENT}$result"
+ fi
+
return 0
}
@@ -411,7 +415,7 @@ sysctl_multi()
shift
done
- IFS=' '
+ local IFS=' '
for variable in $VARIABLES; do
if $SYSCTL "$(echo "$variable" |cut -d'=' -f1)" >/dev/null 2>&1; then
local sysctl_commandline="$SYSCTL"
@@ -424,7 +428,9 @@ sysctl_multi()
retval=$?
if [ "$retval" = "0" ]; then
- echo "${INDENT}${sysctl_commandline}"
+ if [ -n "$result" ]; then
+ echo "${INDENT}$result"
+ fi
return 0
else
printf "\033[40m\033[1;31m${sysctl_commandline}: ($retval) $result\033[0m\n" >&2
@@ -436,6 +442,34 @@ sysctl_multi()
}
+# Set a value for sysctl wildcard variables (like "net.ipv4.conf.*.rp_filter")
+# $1 = prefix (eg. net.ipv4.conf)
+# $2 = variable (eg. rp_filter)
+# $3 = value to set
+sysctl_set_all()
+{
+ local PREFIX="$1"
+ local VARIABLE="$2"
+ local VALUE="$3"
+
+ unset IFS
+ $SYSCTL -a 2>/dev/null |cut -d' ' -f1 |grep "^$PREFIX\..*\.$VARIABLE$" |while read ITEM; do
+ local sysctl_commandline="$SYSCTL -w $ITEM=$VALUE"
+ local result=`trace $sysctl_commandline 2>&1`
+ local retval=$?
+
+ if [ "$retval" = "0" ]; then
+ if [ -n "$result" ]; then
+ echo "${INDENT}$result"
+ fi
+ else
+ # Show any (error) messages in red
+ printf "\033[40m\033[1;31m${sysctl_commandline}: ($retval) $result\033[0m\n" >&2
+ fi
+ done
+}
+
+
# tc binary wrapper
###################
tc()
@@ -456,7 +490,7 @@ ip()
####################
dig()
{
- local cnt=0 x=0 addr name line lines IFS retval
+ local cnt=0 x=0 addr name line lines retval IFS
if [ -n "$DIG" ]; then
if [ "$DNS_FAST_FAIL" = "1" ]; then
@@ -473,6 +507,7 @@ dig()
fi
shift
done
+
IFS=$EOL
for line in $lines; do
case "$line" in
@@ -504,6 +539,7 @@ dig()
done
if [ -n "$1" ]; then
lines="$($NSLOOKUP "$1" 2>/dev/null)"
+
IFS=$EOL
for line in $lines; do
cnt=$((cnt + 1))
@@ -543,11 +579,11 @@ dig()
# Helper function to expand out wildcards in interface name list
wildcard_ifs()
{
- local expnd if0 if1 IFS
+ local expnd if0 if1
expnd=""
- IFS=', '
+ local IFS=', '
for if0 in $*; do
if1="$if0"
case $if1 in
@@ -830,7 +866,7 @@ show_hostname()
local hostname=""
local FIRST=0
- IFS=' ,'
+ local IFS=' ,'
# Argument(s) contains IP(s)
for host in $1; do
if [ "$RESOLV_IPS" = "1" ]; then
@@ -886,6 +922,8 @@ show_hosts_ports()
# Helper function to translate host ranges from variable
ip_range()
{
+ local IFS
+
# Return the args if there is no '-' for improved execution speed
case "$@" in
*-*) ;;
@@ -903,7 +941,7 @@ ip_range()
stop="$(echo "$item" |cut -s -d'-' -f2 |grep -e '[0-9]')"
if [ -n "$stop" ] && [ -n "$start" ]; then
- unset IFS
+ IFS=' '
for x in `seq -s' ' $start $stop`; do
if [ "$FIRST" = "1" ]; then
FIRST=0
@@ -1010,10 +1048,12 @@ progress_bar()
# Check existance of an interface
check_interface()
{
- local interface IFS
+ local interface IFS=' '
+
+ local interfaces=$(ip -o link show | cut -d':' -f2)
unset IFS
- for interface in $(ip -o link show | cut -d':' -f2); do
+ for interface in $interfaces; do
case "$1" in
# Wildcard interface?
*+) if [ "${1%+}" = "${interface%%[0-9]*}" ]; then
@@ -1137,6 +1177,7 @@ if [ "$IPV6_SUPPORT" = "1" ]; then
IPTABLES="$IP6TABLES"
ICMP_PROTO="icmpv6"
ICMP_TYPE="--icmpv6-type"
+ IGMP_PROTO=""
# If IPv6 support is enabled some options should be forced off as they
# are simply not supported (yet) by ip6tables
@@ -1145,6 +1186,7 @@ else
IPTABLES="$IP4TABLES"
ICMP_PROTO="icmp"
ICMP_TYPE="--icmp-type"
+ IGMP_PROTO="2"
fi
IPTABLES_SAVE="$(find_command "$IPTABLES"-save)"
diff --git a/share/arno-iptables-firewall/plugins/traffic-accounting-helper b/share/arno-iptables-firewall/plugins/traffic-accounting-helper
index 21b9c74..1e2849f 100755
--- a/share/arno-iptables-firewall/plugins/traffic-accounting-helper
+++ b/share/arno-iptables-firewall/plugins/traffic-accounting-helper
@@ -199,7 +199,7 @@ traffic_accounting_setup_rules()
IFS=' ,'
# Also add catch all rule (0.0.0.0/0)
- for host in 0.0.0.0/0 $TRAFFIC_ACCOUNTING_HOSTS; do
+ for host in $TRAFFIC_ACCOUNTING_HOSTS 0.0.0.0/0; do
if [ "$VERBOSE" = "1" ]; then
printf "Host=$host "
fi
Reply to: