1. 07 Feb, 2019 2 commits
    • Branko Mikić's avatar
      Update README. URL fixed. · e03c86cb
      Branko Mikić authored
      e03c86cb
    • Branko Mikić's avatar
      LIMITER implemented, BLOCK chain revised. · a8ea0dcb
      Branko Mikić authored
      ~ BLOCK chain extended to use a specific log prefix depending on mark byte set.
      ~ ANTI-FLOOD and INVALID chain now marking packets before dropping them to BLOCK chain.
      ~ LIMITER implemented using the hashlimit table feature. Can be used to eg. to avoid bashing (brute force attacks) on the ssh port.
      a8ea0dcb
  2. 28 Apr, 2018 2 commits
    • Branko Mikić's avatar
      minor bugs fixed! · 240d462e
      Branko Mikić authored
      ~ printKernelParams() function revised to accept nic interface names as argument instead of config options from '/proc/sys/net/ipv4/*' only. When a nic is specified as an argument all available options will be shown.
      240d462e
    • Branko Mikić's avatar
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac... · 0d22199b
      Branko Mikić authored
      Bug! MAC_FILTER ID generates a non-unique ID depending on wether the mac address was provided in upper- or lower case. This can lead to multiple MAC_FILTER rules for the same mac address instead of removing an already existing rule since the ID couldn't be found. This has been fixed!
      0d22199b
  3. 10 Apr, 2018 1 commit
  4. 09 Apr, 2018 2 commits
    • Branko Mikić's avatar
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional... · b64ca400
      Branko Mikić authored
      ~ BugFix! The FORWARD_PORT target host argument didn't handle the optional port correctly when omitted. This has been fixed.
      ~ ALLOW_PORT and FORWARD_PORT now have an optional protocol argument. When omitted ALLOW_PORT creates rules for both protocols (tcp|udp) while FORWARD_PORT defaults to tcp only.
      ~ checkProtocol() function added for argument check.
      ~ formatSubnetAsHexID() function renamed to formatAsHexID() as the function can be used on either an IP address or a subnet mask.
      b64ca400
    • Branko Mikić's avatar
      ~ SVG project logo added. · fc9a37d3
      Branko Mikić authored
      ~ OpenOffice slide added.
      fc9a37d3
  5. 20 Jul, 2017 1 commit
    • Branko Mikić's avatar
      ~ BugFix! In checkIPArgFormat() and obtainNetPrefix() the regex expression were revised. · 2e2bf5a2
      Branko Mikić authored
      ~ obtainRuleIndices() didn't force hostnames of iptables output to be numeric only but could also be a FQDN entry which lead the regex expression to fail.
      ~ BugFix! In FORWARD_SUBNET_PROTECTIVE chain the ID could easily exceed the maximum length when used with IPv6 as they can naturally grow very large if short (::) notation is omitted. Especially when such an ID is used eg. as a chain name!
      Therefore the chain name for forwarded IPv6 subnets now uses 'cksum' instead of the ID returned by formatSubnetAsHexID() function.
      The new ID format is now a shorter version to fit them into chain names as well as comment fields of iptables.
      ~ In the BASE_RULE_SET command using the ANTI-FLOOD chain on anything regardless of being internal or external traffic wasn't a good idea at all. So the new LOCAL chain now allows internal traffic before ANTI-FLOOD protection is applied while any external traffic still needs to pass the ANTI-FLOOD and INVALID chains without creating wild, complex exceptions in the BLOCK chain to dinstinguish invalid, internal traffic from invalid, external traffic.
      ~ By reordering the rules in the BASE_RULE_SET a lot of stuff was simplyfied to be used on both (IPv4|6) protocols in the same manner.
      ~ EXPERIMENTAL! A new command called 6TO4 implemented for tunneling IPv6 traffic over IPv4 links. This code is heavily experimental not meant to be used in production environments.
      ~ NEW! ALLOW_PORT (or ALLOW_SERVICE) command implemented. This is a simple version of allowing traffic for specific ports on the router to reach local daemons.
      It would be possible to do that manually by adding a rule to the USER-IN chain but this one uses iptables' 'multiport' feature so that one rule can allow multiple ports at once. Anyway ALLOW_PORT can also be used to only allow a single port per rule.
      Attention!
      There can be reasons to _not_ do that and have implicitly one rule for allowing one port especially when the firewall rules are tweaked at runtime and removing all ports at once isn't desired.
      ~ For IPv6 the filter for RH0 headers were removed (!) as nearly any new kernel version does that on it's own even without any netfilter.
      ~ Outbound traffic on safe ports (eg: 80,443) are now allowed by default for forwared subnets only.
      2e2bf5a2
  6. 17 Nov, 2016 3 commits
  7. 25 Oct, 2016 1 commit
    • Branko Mikić's avatar
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(),... · caf9aa22
      Branko Mikić authored
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(), isFloat() and isNumber() functions.
      ~ ALLOW_DHCPV6_CLIENT revised to work with both IPv(4|6) therefore the function was renamed to ALLOW_DHCP_CLIENT.
      ~ obtainRouteToIP() renamed to obtainNetPrefix() and revised to work with both IPv(4|6)
      ~ obtainNetPrefix() renamed to checkSubnetArgFormat()
      ~ NEW! checkMACArgFormat(), checkIPArgFormat() and checkSubnetArgFormat() implemented to check passed arguments.
      ~ deleteRules() revised to return the number of rules deleted. Useful when giving a feedback to the usser about deletions.
      ~ The LOG target now includes the ENVID to distinguish between logs from iptables and ip6tables. Instead of [IN|OUT|FWD-DROP] prefix the logs are now prefixed like [IN4-DROP], [OU6-DROP] or [FW4-DROP], ...
      ~ When creating chain names usally formatSubnetAsHexID() function was used but for IPv6 subents this can lead to chain names longer than 28 chars which iptables will not accept therefore chain names now use the shorter ID created from cksum with '-IN' or '-OUT' suffixes (eg: A273DBBD-OUT or A0C182C8-IN)
      ~ FORWARD_MAC_FILTER renamed to MAC_FILTER and revised to accept a chain name on which the mac filter is placed.
      ~ FORWARD_PORT|FORWARD_ROUTING implemented to allow pre- & postrouting forwards in the nat table. This function can forward through a WAN into a private subnet but can be used to forward between hosts inside a private subnet.
      ~ REMOVE_RULES revised to show only chains on which entries were deleted instead of chains processed regardless of deletions. This way the user gets a better feedback about deletions when removing rules by regex expression.
      ~ ALLOW_TUNNEL implemented. Allows a router to receive ipip, gre or sit tunnels on the given node from a specified address. At the moment sit tunnels are working, ipip and grep still needs some work to do. A hacky script added to includes/sit_tunnel.sh which is not exactly a part of ipturntables but may be useful anyway.
      caf9aa22
  8. 15 Apr, 2016 3 commits
  9. 09 Apr, 2016 3 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion... · edca0ffa
      Branko Mikić authored
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion with the RESET function of ipturntables which rather resets (clears) all rules instead of restoring a preset file.
      edca0ffa
    • root's avatar
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies... · e79331a3
      root authored
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
      ~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
      ~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
      ~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
      ~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
      ~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
      e79331a3
  10. 28 Mar, 2016 2 commits
  11. 24 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing. · 9498bb11
      Branko Mikić authored
      ~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
      ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
      9498bb11
  12. 23 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of... · 3eb05a9f
      Branko Mikić authored
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
      ~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
      ~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
      3eb05a9f
  13. 31 Jan, 2016 1 commit