Adjusted some more plugins for ipv6
[alff.git] / share / plugins / plugin.d / handleICMP
1 #!/usr/bin/perl -w
2 #
3 # handleICMP
4 #
5 # Maximilian Wilhelm <max@rfc2324.org>
6 #  -- Sun, 16 Jul 2006 17:06:01 +0200
7 #
8
9 use strict;
10 use Alff::Config;
11 use Alff::Main;
12
13 my $chain = "handleIcmp";
14
15 my $config = Alff::Config->new();
16 my $alff = Alff::Main->new;
17
18 my $allow_icmp = $config->getOption( "allow_icmp" );
19
20 $alff->create_chain( $chain );
21 $alff->write_line("iptables -A FORWARD -p icmp -j $chain");
22 $alff->write_line("ip6tables -A FORWARD -p icmpv6 -j $chain");
23
24 # ICMP (partly) allowed
25 if ( $allow_icmp ne "none" ) {
26         print " * Allowing $allow_icmp icmp traffic... \n";
27
28         if ( $allow_icmp eq "all" ) {
29                 $alff->write_line("iptables -A $chain -p icmp -j ACCEPT");
30
31         } elsif ( $allow_icmp eq "basic" ) {
32                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type  0 -j ACCEPT" );              # echo-replay
33                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type  3 -j ACCEPT" );              # destination-unreachable/*
34                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type  4 -j ACCEPT" );              # source-squench
35                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type  8 -j ACCEPT" );              # echo-request
36                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 11 -j ACCEPT" );              # time-exceeded/*
37                 $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 12 -j ACCEPT" );              # parameter-problem/*
38                 $alff->write_line("iptables -A $chain -p icmp -j REJECT --reject-with icmp-admin-prohibited");  # REJECT everything else gently
39         }
40 } else {
41         print " * Rejecting all icmp traffic!\n";
42         $alff->write_line("iptables -A $chain -p icmp -j REJECT --reject-with icmp-admin-prhobited");           # REJECT everything genlty
43 }
44
45 # Fuer IPv6 ist ICMP notwendig!
46 $alff->write_line("ip6tables -A $chain -p ipv6-icmp -j ACCEPT");