From: Kevin Day Date: Sun, 10 Jun 2012 19:41:20 +0000 (-0500) Subject: Bugfix: ipv6 icmp is different than ipv4 icmp, adjust rules accordingly X-Git-Tag: 0.3.0~5 X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=ba244ca077eefce5e7597366b89ef1032e534704;p=fll Bugfix: ipv6 icmp is different than ipv4 icmp, adjust rules accordingly The ipv6 in iptables uses a separate command called icmpv6, with the parameter called icmpv6-type. Adjust the default settings files to use ipv4 icmp only with iptables and ipv6 icmp only with ip6tables. This also updates the icmp types for ipv6, adding comments on what each type is. --- diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first index 56d862c..df2f847 100644 --- a/level_3/firewall/data/settings/firewall-first +++ b/level_3/firewall/data/settings/firewall-first @@ -67,7 +67,8 @@ main: rule -m state --state NEW -j input-udp - # send all tcp packets to the tcp queue + # send all ipv4 icmp packets to the icmp queue + tool iptables direction output protocol icmp rule -m state --state NEW -j output-icmp @@ -75,6 +76,15 @@ main: direction input rule -m state --state NEW -j input-icmp + # send all ipv6 icmp packets to the icmp queue + tool ip6tables + direction output + protocol icmpv6 + rule -m state --state NEW -j output-icmp + + direction input + rule -m state --state NEW -j input-icmp + input-tcp: direction input diff --git a/level_3/firewall/data/settings/firewall-last b/level_3/firewall/data/settings/firewall-last index eb0f543..d6fa7c0 100644 --- a/level_3/firewall/data/settings/firewall-last +++ b/level_3/firewall/data/settings/firewall-last @@ -101,14 +101,80 @@ output-udp: input-icmp: + tool iptables direction input protocol icmp # allow all icmp input, such as pings #rule -m state --state NEW -j ACCEPT - # ip6tables does not support --icmp-type with its icmp packets + # allow icmp: echo reply (outbound ping) + #rule --icmp-type 0 -m state --state NEW -j ACCEPT + + # allow icmp: destination unreachable + rule --icmp-type 3 -m state --state NEW -j ACCEPT + + # allow icmp: source quench + rule --icmp-type 4 -m state --state NEW -j ACCEPT + + # allow icmp: redirect + rule --icmp-type 5 -m state --state NEW -j ACCEPT + + # allow icmp: echo request (inbound ping) + rule --icmp-type 8 -m state --state NEW -j ACCEPT + + # allow icmp: router advertisement + rule --icmp-type 9 -m state --state NEW -j ACCEPT + + # allow icmp: router Solicitation + rule --icmp-type 10 -m state --state NEW -j ACCEPT + + # allow icmp: time exceeded + rule --icmp-type 11 -m state --state NEW -j ACCEPT + + # allow icmp: bad ip header + rule --icmp-type 12 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp + rule --icmp-type 13 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp reply + rule --icmp-type 14 -m state --state NEW -j ACCEPT + + # allow icmp: information request + rule --icmp-type 15 -m state --state NEW -j ACCEPT + + # allow icmp: information reply + rule --icmp-type 16 -m state --state NEW -j ACCEPT + + # allow icmp: address request + rule --icmp-type 17 -m state --state NEW -j ACCEPT + + # allow icmp: address reply + rule --icmp-type 18 -m state --state NEW -j ACCEPT + + # allow icmp: traceroute + #rule --icmp-type 30 -m state --state NEW -j ACCEPT + + +output-icmp: + direction output + protocol icmp + + # allow icmp output, such as pings + rule -m state --state NEW -j ACCEPT + + +input-icmp: + direction input + + + # ipv4 icmp tool iptables + protocol icmp + + # allow all icmp input, such as pings + #rule -m state --state NEW -j ACCEPT # allow icmp: echo reply (outbound ping) #rule --icmp-type 0 -m state --state NEW -j ACCEPT @@ -159,9 +225,134 @@ input-icmp: #rule --icmp-type 30 -m state --state NEW -j ACCEPT + # ipv6 icmp + tool ip6tables + protocol icmpv6 + + # allow all icmp input + #rule -m state --state NEW -j ACCEPT + + # destination uncreachable + rule --icmpv6-type 1 -m state --state NEW -j ACCEPT + + # packet too big + rule --icmpv6-type 2 -m state --state NEW -j ACCEPT + + # time exceeded + rule --icmpv6-type 3 -m state --state NEW -j ACCEPT + + # parameter problem + rule --icmpv6-type 4 -m state --state NEW -j ACCEPT + + # Private experimentation + #rule --icmpv6-type 100 -m state --state NEW -j ACCEPT + #rule --icmpv6-type 101 -m state --state NEW -j ACCEPT + + # echo request + rule --icmpv6-type 128 -m state --state NEW -j ACCEPT + + # echo reply + #rule --icmpv6-type 129 -m state --state NEW -j ACCEPT + + # multiclass listener + rule --icmpv6-type 130 -m state --state NEW -j ACCEPT + + # multiclass listener report + rule --icmpv6-type 131 -m state --state NEW -j ACCEPT + + # multiclass listener done + rule --icmpv6-type 132 -m state --state NEW -j ACCEPT + + # router solicitation + rule --icmpv6-type 133 -m state --state NEW -j ACCEPT + + # router advertisement + rule --icmpv6-type 134 -m state --state NEW -j ACCEPT + + # neighbor solicitation + rule --icmpv6-type 135 -m state --state NEW -j ACCEPT + + # neighbor advertisement + rule --icmpv6-type 136 -m state --state NEW -j ACCEPT + + # redirect messages + rule --icmpv6-type 137 -m state --state NEW -j ACCEPT + + # router renumbering + rule --icmpv6-type 138 -m state --state NEW -j ACCEPT + + # icmp node information query + rule --icmpv6-type 139 -m state --state NEW -j ACCEPT + + # icmp node information response + rule --icmpv6-type 140 -m state --state NEW -j ACCEPT + + # inverse neighbor discoverey solicitation message + rule --icmpv6-type 141 -m state --state NEW -j ACCEPT + + # inverse neighbor discoverey advertisement message + rule --icmpv6-type 142 -m state --state NEW -j ACCEPT + + # multicast listener discovery reports + rule --icmpv6-type 143 -m state --state NEW -j ACCEPT + + # home agent address discovery request message + rule --icmpv6-type 144 -m state --state NEW -j ACCEPT + + # home agent address discovery reply message + rule --icmpv6-type 145 -m state --state NEW -j ACCEPT + + # mobile prefix solicitation + rule --icmpv6-type 146 -m state --state NEW -j ACCEPT + + # mobile prefix advertisement + rule --icmpv6-type 147 -m state --state NEW -j ACCEPT + + # certification path solicitation + rule --icmpv6-type 148 -m state --state NEW -j ACCEPT + + # certification path advertisement + rule --icmpv6-type 149 -m state --state NEW -j ACCEPT + + # used by experimental protocol + #rule --icmpv6-type 150 -m state --state NEW -j ACCEPT + + # multicast router solicitation + rule --icmpv6-type 151 -m state --state NEW -j ACCEPT + + # multicast router advertisement + rule --icmpv6-type 152 -m state --state NEW -j ACCEPT + + # multicast router termination + rule --icmpv6-type 153 -m state --state NEW -j ACCEPT + + # fmipv6 control messages + rule --icmpv6-type 154 -m state --state NEW -j ACCEPT + + # rpl control messages + rule --icmpv6-type 155 -m state --state NEW -j ACCEPT + + # private experimentation + #rule --icmpv6-type 200 -m state --state NEW -j ACCEPT + #rule --icmpv6-type 201 -m state --state NEW -j ACCEPT + + output-icmp: direction output protocol icmp + + # ipv4 icmp + tool iptables + protocol icmp + + # allow icmp output, such as pings + rule -m state --state NEW -j ACCEPT + + + # ipv6 icmp + tool ip6tables + protocol icmpv6 + # allow icmp output, such as pings rule -m state --state NEW -j ACCEPT