First bucket of adjusted plugins
authorMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 24 Apr 2013 07:57:24 +0000 (09:57 +0200)
committerMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 24 Apr 2013 07:57:24 +0000 (09:57 +0200)
  *  acceptInterFirewallTraffic
  *  accept_established_connections_
  *  classifyInterVlanTraffic
  *  clear_filter_tables
  *  clear_table_
  *  create_chain_log_and_reject
  *  finish_FORWARD
  *  finish_INPUT
  *  handleICMP
  *  hookInBlackAndWhitelist

share/plugins/plugin.d/acceptInterFirewallTraffic
share/plugins/plugin.d/accept_established_connections_
share/plugins/plugin.d/classifyInterVlanTraffic
share/plugins/plugin.d/clear_filter_tables
share/plugins/plugin.d/clear_table_
share/plugins/plugin.d/create_chain_log_and_reject
share/plugins/plugin.d/finish_FORWARD
share/plugins/plugin.d/finish_INPUT
share/plugins/plugin.d/handleICMP
share/plugins/plugin.d/hookInBlackAndWhitelist

index f234fe8..cffd871 100755 (executable)
@@ -19,17 +19,27 @@ my @machine_IDs = $config->getMachineIDs();
 if ( scalar ( @machine_IDs ) > 0 ) {
        foreach my $machine_id ( @machine_IDs ) {
                my $machine_ip = $config->getMachineIP( $machine_id );
-               if ( ! $machine_ip ) {
-                       print STDERR "acceptInterFirewallTraffic: ERROR: Could not get IP address for machine $machine_id\n";
-                       exit 1;
+               my $machine_ip6 = $config->getMachineIP6( $machine_id );
+               if( $machine_ip ) {
+       
+                       if ( ! Net::CIDR::cidrvalidate( $machine_ip ) ) {
+                               print STDERR "Error: Invalid IPv4 address for machine $machine_id.\n";
+                               exit 1;
+                       }
+                                               
+                       $alff->write_line("iptables -A INPUT -s $machine_ip -j ACCEPT");
                }
 
-               if ( ! Net::CIDR::cidrvalidate( $machine_ip ) ) {
-                       print STDERR "Error: Invalid IP address for machine $machine_id.\n";
-                       exit 1;
+               if( $machine_ip6 ) {
+       
+                       if ( ! Net::CIDR::cidrvalidate( $machine_ip6 ) ) {
+                               print STDERR "Error: Invalid IPv6 address for machine $machine_id.\n";
+                               exit 1;
+                       }
+                                               
+                       $alff->write_line("ip6tables -A INPUT -s $machine_ip6 -j ACCEPT");
                }
-                               
-               $alff->write_line("iptables -A INPUT -s $machine_ip -j ACCEPT");
+
        }
 } else {
        print STDERR "Attention: acceptInterFirewallTraffic: No machines found\n";
index 590fd63..f5d934f 100755 (executable)
@@ -16,6 +16,7 @@ CHAIN=`getOption $1`
 if [ "${CHAIN}" ]; then
        echo " * Creating rule to ACCEPT established connections... "
        echo "iptables -A ${CHAIN} -m state --state RELATED,ESTABLISHED -j ACCEPT" >&3
+       echo "ip6tables -A ${CHAIN} -m state --state RELATED,ESTABLISHED -j ACCEPT" >&3
 else
        echo "Error: You did not specify the chain in which established connection should be hooked in" >&2
 fi
index 866f254..a060767 100755 (executable)
@@ -61,48 +61,58 @@ sub classifyTrafficFromTo($$) { #{{{
 
        # Not that good runtime(?), but...
        foreach my $src_network ( @src_networks ) {
+               my $src_network_version = $alff->getIpVersion($src_network);
                foreach my $dst_network ( @dst_networks ) {
-                       foreach my $dst_interface ( @dst_interfaces ) {
-                               # create backup of dst and src network
-                               my $src_network_bak = $src_network;
-                               my $dst_network_bak = $dst_network;
-
-                               foreach my $src_interface ( @src_interfaces ) {
-
-                                       # Build up the command line
-                                       my $commandline = "iptables -A FORWARD ";
-               
-                                       if ($src_network =~ m/!/) {
-                                                       $src_network =~ s/!//;
+                       if($src_network_version == $alff->getIpVersion($dst_network)) {
+                               foreach my $dst_interface ( @dst_interfaces ) {
+                                       # create backup of dst and src network
+                                       my $src_network_bak = $src_network;
+                                       my $dst_network_bak = $dst_network;
+
+                                       foreach my $src_interface ( @src_interfaces ) {
+
+                                               # Build up the command line
+                                               my $commandline = "";
+                                               if($src_network_version == 4) {
+                                                       $commandline .= "iptables -A FORWARD ";
+                                               } elsif($src_network_version == 6) {
+                                                       $commandline .= "ip6tables -A FORWARD ";
+                                               } else {
+                                                       $commandline .= "# $src_network isn't a known network ";
+                                               }
+                       
+                                               if ($src_network =~ m/!/) {
+                                                               $src_network =~ s/!//;
+                                                               $commandline .= " ! ";
+                                               }
+                                               $commandline .= " -s $src_network ";
+                       
+                                               if ( $config->getOption( "fw_type" ) eq "router" ) {
+                                                       $commandline .= " -i $src_interface " if ( $src_interface );
+                                                       $commandline .= " -o $dst_interface " if ( $dst_interface );
+                                               }       
+                                               elsif( $config->getOption( "fw_type" ) eq "bridge" ) {
+                                                       if ( $src_interface || $dst_interface ) {
+                                                               $commandline .= " -m physdev ";
+                                                               $commandline .= " --physdev-in $src_interface " if ( $src_interface );
+                                                               $commandline .= " --physdev-out $dst_interface " if ( $dst_interface );
+                                                       }
+                                                       $commandline .= " -m mark --mark $src_vlan ";
+                                               }
+                       
+                                               if ($dst_network =~ m/!/) {
+                                                       $dst_network =~ s/!//;
                                                        $commandline .= " ! ";
-                                       }
-                                       $commandline .= " -s $src_network ";
-               
-                                       if ( $config->getOption( "fw_type" ) eq "router" ) {
-                                               $commandline .= " -i $src_interface " if ( $src_interface );
-                                               $commandline .= " -o $dst_interface " if ( $dst_interface );
-                                       }       
-                                       elsif( $config->getOption( "fw_type" ) eq "bridge" ) {
-                                               if ( $src_interface || $dst_interface ) {
-                                                       $commandline .= " -m physdev ";
-                                                       $commandline .= " --physdev-in $src_interface " if ( $src_interface );
-                                                       $commandline .= " --physdev-out $dst_interface " if ( $dst_interface );
                                                }
-                                               $commandline .= " -m mark --mark $src_vlan ";
-                                       }
-               
-                                       if ($dst_network =~ m/!/) {
-                                               $dst_network =~ s/!//;
-                                               $commandline .= " ! ";
-                                       }
-                                       $commandline .= " -d $dst_network -j $chain";
-               
-                                       $alff->write_line( $commandline );
+                                               $commandline .= " -d $dst_network -j $chain";
+                       
+                                               $alff->write_line( $commandline );
 
-                                       # restore old networks
-                                       $src_network = $src_network_bak;
-                                       $dst_network = $dst_network_bak;
+                                               # restore old networks
+                                               $src_network = $src_network_bak;
+                                               $dst_network = $dst_network_bak;
 
+                                       }
                                }
                        }
                }
@@ -167,6 +177,7 @@ sub loadChainRules($$) { # {{{
        if ( $load_count == 0 ) {
                print STDERR "INFO: No rules found for chain $chain, setting the default_chain_target...\n" if ( $debug );
                $alff->write_line( "iptables -A $chain -j $default_chain_target" );
+               $alff->write_line( "ip6tables -A $chain -j $default_chain_target" );
        }
 } #}}}
 
index e85a712..0e04130 100755 (executable)
@@ -10,4 +10,8 @@ cat << EOF >&3
 iptables -t filter -F
 iptables -t filter -X
 iptables -t filter -Z
+
+ip6tables -t filter -F
+ip6tables -t filter -X
+ip6tables -t filter -Z
 EOF
index a6967dd..85867d7 100755 (executable)
@@ -32,3 +32,14 @@ iptables -t ${table} -X
 iptables -t ${table} -Z
 
 EOF
+
+##
+# ip6tables kann kein nat
+if [ ${table} != "nat" ] ; then
+       cat << EOF >&3
+ip6tables -t ${table} -F
+ip6tables -t ${table} -X
+ip6tables -t ${table} -Z
+
+EOF
+fi
index c810f22..b1f479c 100755 (executable)
@@ -17,11 +17,14 @@ createChain log_and_reject
 cat << EOF >&3
 # LOG the traffic to be rejected, but restrict the amount of logs...
 iptables -A log_and_reject -m limit --limit 3/sec --limit-burst 5 -j LOG --log-prefix "alff rejected: "
+ip6tables -A log_and_reject -m limit --limit 3/sec --limit-burst 5 -j LOG --log-prefix "alff rejected: "
 
 # REJECT tcp connections gently by sending a tcp-reset
 iptables -A log_and_reject -p tcp -j REJECT --reject-with tcp-reset
+ip6tables -A log_and_reject -p tcp -j REJECT --reject-with tcp-reset
 
 # REJECT anything else via an ICMP message with icmp-admin-prohibited
 iptables -A log_and_reject -j REJECT --reject-with icmp-admin-prohibited
+ip6tables -A log_and_reject -j REJECT --reject-with icmp6-adm-prohibited
 
 EOF
index e2a407c..3acff0c 100755 (executable)
@@ -13,4 +13,8 @@ iptables -A FORWARD -m limit --limit 5/sec -j LOG --limit-burst 10 --log-prefix
 iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
 iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
 
+ip6tables -A FORWARD -m limit --limit 5/sec -j LOG --limit-burst 10 --log-prefix "alff rejected: "
+ip6tables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
+ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+
 EOF
index eb9b704..7a8a1ef 100755 (executable)
@@ -13,4 +13,8 @@ iptables -A INPUT -m limit --limit 3/sec --limit-burst 5 -j LOG --log-prefix "al
 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
 
+ip6tables -A INPUT -m limit --limit 3/sec --limit-burst 5 -j LOG --log-prefix "alff incoming: "
+ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
 EOF
index 4c6793f..430a212 100755 (executable)
@@ -40,3 +40,6 @@ if ( $allow_icmp ne "none" ) {
        print " * Rejecting all icmp traffic!\n";
        $alff->write_line("iptables -A $chain -p icmp -j REJECT --reject-with icmp-admin-prhobited");           # REJECT everything genlty
 }
+
+# Fuer IPv6 ist ICMP notwendig!
+$alff->write_line("ip6tables -A $chain -p icmp6 -j ACCEPT");
index 69ae355..9f5d346 100755 (executable)
@@ -18,6 +18,7 @@ for chain in ${CHAINS}; do
        fi
 
        echo "iptables -A FORWARD -j ${chain}" >&3
+       echo "ip6tables -A FORWARD -j ${chain}" >&3
 done
 
 echo " done."