From 7cd1a731e53a75f55b7d0daba60d3127c7f2a8fd Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Sun, 14 Feb 2021 20:51:01 +0000 Subject: [PATCH] Add extra icmp6 notifications to firewall. --- sample-rc.d/rc.firewall-float | 6 ++++-- sample-rc.d/rc.firewall-guests | 12 +++++++----- sample-rc.d/rc.firewall-hosts | 2 ++ 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/sample-rc.d/rc.firewall-float b/sample-rc.d/rc.firewall-float index f6f9129..97a5213 100755 --- a/sample-rc.d/rc.firewall-float +++ b/sample-rc.d/rc.firewall-float @@ -2,7 +2,7 @@ # The name of the main external interface. EX_IF="eth0" -# The name of the VM-Private network interface. +# The name of the Private network interface. PRI_IF="eth1" # IP addresses @@ -49,7 +49,7 @@ iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT -# Allow all VM-Private network traffic. +# Allow all Private network traffic. iptables -A INPUT -i "$PRI_IF" -j ACCEPT ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT @@ -79,6 +79,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT # Always allow SSH. # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get diff --git a/sample-rc.d/rc.firewall-guests b/sample-rc.d/rc.firewall-guests index 45bb749..231e245 100755 --- a/sample-rc.d/rc.firewall-guests +++ b/sample-rc.d/rc.firewall-guests @@ -2,8 +2,8 @@ # The name of the main external interface. EX_IF="eth0" -# The name of the VM-Private network interface. -VM_IF="eth1" +# The name of the Private network interface. +PRI_IF="eth1" # Disable ICMP redirects. # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform @@ -43,9 +43,9 @@ iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT -# Allow all VM-Private network traffic. -iptables -A INPUT -i "$VM_IF" -j ACCEPT -ip6tables -A INPUT -i "$VM_IF" -j ACCEPT +# Allow all Private network traffic. +iptables -A INPUT -i "$PRI_IF" -j ACCEPT +ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT # Allow unrestricted access from our IPs. iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT @@ -73,6 +73,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT # Always allow SSH. # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get diff --git a/sample-rc.d/rc.firewall-hosts b/sample-rc.d/rc.firewall-hosts index 905629b..2bb8aad 100755 --- a/sample-rc.d/rc.firewall-hosts +++ b/sample-rc.d/rc.firewall-hosts @@ -67,6 +67,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT +#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT # Always allow SSH. # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get