Do some spoofcheks even in ipv6. This is probably not complete

diff --git a/share/plugins/plugin.d/create_chain_spoofcheck b/share/plugins/plugin.d/create_chain_spoofcheck
index f03739f..48e291b 100755 (executable)
--- a/share/plugins/plugin.d/create_chain_spoofcheck
+++ b/share/plugins/plugin.d/create_chain_spoofcheck
@@ -43,3 +43,28 @@ iptables -A spoofcheck -p all -i ! lo -s 127.0.0.0/8 -j LOG --log-prefix "alff s
 iptables -A spoofcheck -p all -i ! lo -s 127.0.0.0/8 -j DROP
 
 EOF
+
+# do the same for ipv6
+cat << EOF >&3
+##
+# Some sample networks to block, there might be more
+
+##
+# site local unicast is deprecated (RFC3879)
+ip6tables -A spoofcheck -p all -i ! lo -s fec0::/10 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s fec0::/10 -j DROP
+
+##
+# Uniqe local unicast (RFC4193) should be opt in
+ip6tables -A spoofcheck -p all -i ! lo -s fc00::/7 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s fc00::/7 -j DROP
+
+##
+# Some more deprecated networks
+
+##
+# ipv4 compability, deprecated by RFC4291
+ip6tables -A spoofcheck -p all -i ! lo -s ::/96 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s ::/96 -j DROP
+
+EOF

diff --git a/share/plugins/plugin.d/drop_spoofed_packets_ b/share/plugins/plugin.d/drop_spoofed_packets_
index 2306266..41e9b5b 100755 (executable)
--- a/share/plugins/plugin.d/drop_spoofed_packets_
+++ b/share/plugins/plugin.d/drop_spoofed_packets_
@@ -28,6 +28,7 @@ if [ "${chain}" ]; then
        if [ "${valid_chain}" = 'true' ]; then
                echo " * Creating rule to DROP spoofed packets... "
                echo "iptables -A ${chain} -j spoofcheck" >&3
+               echo "ip6tables -A ${chain} -j spoofcheck" >&3
        else
                echo "Error: Chain \"spoofcheck\" does not exist, but should be hooked in into ${chain}!">&2
        fi