#!/usr/bin/perl -w # # handleICMP # # Maximilian Wilhelm # -- Sun, 16 Jul 2006 17:06:01 +0200 # use strict; use Alff::Config; use Alff::Main; my $chain = "handleIcmp"; my $config = Alff::Config->new(); my $alff = Alff::Main->new; my $allow_icmp = $config->getOption( "allow_icmp" ); $alff->create_chain( $chain ); $alff->write_line("iptables -A FORWARD -p icmp -j $chain"); $alff->write_line("ip6tables -A FORWARD -p icmpv6 -j $chain"); # ICMP (partly) allowed if ( $allow_icmp ne "none" ) { print " * Allowing $allow_icmp icmp traffic... \n"; if ( $allow_icmp eq "all" ) { $alff->write_line("iptables -A $chain -p icmp -j ACCEPT"); } elsif ( $allow_icmp eq "basic" ) { $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 0 -j ACCEPT" ); # echo-replay $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 3 -j ACCEPT" ); # destination-unreachable/* $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 4 -j ACCEPT" ); # source-squench $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 8 -j ACCEPT" ); # echo-request $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 11 -j ACCEPT" ); # time-exceeded/* $alff->write_line("iptables -A $chain -p icmp -m icmp --icmp-type 12 -j ACCEPT" ); # parameter-problem/* $alff->write_line("iptables -A $chain -p icmp -j REJECT --reject-with icmp-admin-prohibited"); # REJECT everything else gently } } else { print " * Rejecting all icmp traffic!\n"; $alff->write_line("iptables -A $chain -p icmp -j REJECT --reject-with icmp-admin-prhobited"); # REJECT everything genlty } # Fuer IPv6 ist ICMP notwendig! $alff->write_line("ip6tables -A $chain -p ipv6-icmp -j ACCEPT");