Patch for Tunneled IPv6
Posted: 20 Aug 2012, 21:03
Hi,
I use CSF Firewall on multiple generic boxes/networks (without cPanel) and I think it's great! It saves so much time and hassle. I even use it on the router for my home LAN. Many thanks to the Dev's.
Unfortunately some of the networks I'm on do not yet have native IPv6, so instead I use a tunnel service like Hurricane Electric tunnelbroker. Using a tunnel adds an additional interface to the machine (sit0, tun0, user-defined label). The problem is in the way that CSF generates the rules, it assumes that all v6 traffic is going natively through the ETH_DEVICE (eth+) interfaces. Rules such as this do not apply to the tunnel interface, and causes tunneled IPv6 to not work.
I suggest to add a config option IPV6_TUNNEL_DEVICE where the user can manually set the name of the tunnel interface.
I have created an unofficial patch against the current version 5.60 that implements this functionality.
csf.conf
csf.patch
I use CSF Firewall on multiple generic boxes/networks (without cPanel) and I think it's great! It saves so much time and hassle. I even use it on the router for my home LAN. Many thanks to the Dev's.
Unfortunately some of the networks I'm on do not yet have native IPv6, so instead I use a tunnel service like Hurricane Electric tunnelbroker. Using a tunnel adds an additional interface to the machine (sit0, tun0, user-defined label). The problem is in the way that CSF generates the rules, it assumes that all v6 traffic is going natively through the ETH_DEVICE (eth+) interfaces. Rules such as this do not apply to the tunnel interface, and causes tunneled IPv6 to not work.
I suggest to add a config option IPV6_TUNNEL_DEVICE where the user can manually set the name of the tunnel interface.
I have created an unofficial patch against the current version 5.60 that implements this functionality.
csf.conf
Code: Select all
# User defined IPv6 Tunnel interface (e.g. sit0, tun0, or user defined label)
# Leave empty if using native IPv6
IPV6_TUNNEL_DEVICE="hetunnel"
Code: Select all
--- a/csf-dot-pl 2012-08-20 09:00:29.000000000 -0500
+++ b/csf-dot-pl 2012-08-20 14:36:49.218025364 -0500
@@ -18,7 +18,7 @@ use Socket;
our (%input, %config, $verbose, $version, %ips, %ifaces, %messengerports,
$logmodule, $noowner, %sanity, %sanitydefault, $warning, $accept,
- $ipscidr, $ipv6reg, $ipv4reg, $nonat, $ethdevin, $ethdevout, $ipscidr6);
+ $ipscidr, $ipv6reg, $ipv4reg, $nonat, $ethdevin, $ethdevout, $ipv6ethdevout, $ipv6ethdevin, $ipscidr6);
$version = &version;
$ipscidr6 = Net::CIDR::Lite->new;
@@ -585,8 +585,8 @@ sub dostart {
if ($config{IPV6}) {
&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT -i lo -j $accept");
&syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT -o lo -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -j LOGDROPOUT");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -j LOGDROPIN");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -j LOGDROPOUT");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -j LOGDROPIN");
}
unless ($config{DNS_STRICT}) {
@@ -595,10 +595,10 @@ sub dostart {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p udp --dport 53 -j $accept");
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p tcp --dport 53 -j $accept");
if ($config{IPV6}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p udp --sport 53 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp --sport 53 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p udp --dport 53 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp --dport 53 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p udp --sport 53 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp --sport 53 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p udp --dport 53 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp --dport 53 -j $accept");
}
}
@@ -657,8 +657,8 @@ sub dostart {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $skipout $ethdevout -j LOCALOUTPUT");
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I INPUT $skipin $ethdevin -j LOCALINPUT");
if ($config{IPV6}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -j LOCALOUTPUT");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ethdevin -j LOCALINPUT");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -j LOCALOUTPUT");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ipv6ethdevin -j LOCALINPUT");
}
$config{ETH_DEVICE_SKIP} =~ s/\s//g;
@@ -1141,8 +1141,8 @@ sub dopacketfilters {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I OUTPUT $ethdevout -p tcp -j INVALID");
if ($config{IPV6} and $config{IPV6_SPI}) {
&syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INVDROP -j $config{DROP}");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ethdevin -p tcp -j INVALID");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ethdevout -p tcp -j INVALID");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I INPUT $ipv6ethdevin -p tcp -j INVALID");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I OUTPUT $ipv6ethdevout -p tcp -j INVALID");
}
}
}
@@ -1182,8 +1182,8 @@ sub doportfilters {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j GDENYIN");
&syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALOUTPUT $ethdevout -j GDENYOUT");
if ($config{IPV6}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALINPUT $ethdevin -j GDENYIN");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALOUTPUT $ethdevout -j GDENYOUT");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALINPUT $ipv6ethdevin -j GDENYIN");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOCALOUTPUT $ipv6ethdevout -j GDENYOUT");
}
}
@@ -1318,8 +1318,8 @@ sub doportfilters {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I LOCALINPUT $ethdevin -j GALLOWIN");
&syscommand(__LINE__,"$config{IPTABLES} $verbose -I LOCALOUTPUT $ethdevout -j GALLOWOUT");
if ($config{IPV6}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALINPUT $ethdevin -j GALLOWIN");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALOUTPUT $ethdevout -j GALLOWOUT");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALINPUT $ipv6ethdevin -j GALLOWIN");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -I LOCALOUTPUT $ipv6ethdevout -j GALLOWOUT");
}
}
@@ -1570,8 +1570,8 @@ sub doportfilters {
&syscommand(__LINE__,"$config{IPTABLES} $verbose -A INPUT $ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
&syscommand(__LINE__,"$config{IPTABLES} $verbose -A OUTPUT $ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
if ($config{IPV6} and $config{IPV6_SPI}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -m state --state ESTABLISHED,RELATED -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -m state --state ESTABLISHED,RELATED -j $accept");
}
$config{PORTKNOCKING} =~ s/\s//g;
@@ -1618,9 +1618,9 @@ sub doportfilters {
if ($port eq "") {next}
if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid TCP6_IN port [$port]")}
if ($config{IPV6_SPI}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p tcp -m state --state NEW --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p tcp -m state --state NEW --dport $port -j $accept");
} else {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p tcp --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p tcp --dport $port -j $accept");
}
}
}
@@ -1639,9 +1639,9 @@ sub doportfilters {
if ($port eq "") {next}
if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid TCP6_OUT port [$port]")}
if ($config{IPV6_SPI}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p tcp -m state --state NEW --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p tcp -m state --state NEW --dport $port -j $accept");
} else {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p tcp --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p tcp --dport $port -j $accept");
}
}
}
@@ -1660,9 +1660,9 @@ sub doportfilters {
if ($port eq "") {next}
if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid UDP6_IN port [$port]")}
if ($config{IPV6_SPI}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p udp -m state --state NEW --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p udp -m state --state NEW --dport $port -j $accept");
} else {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p udp --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p udp --dport $port -j $accept");
}
}
}
@@ -1681,9 +1681,9 @@ sub doportfilters {
if ($port eq "") {next}
if ($port !~ /^[\d:]*$/) {&error(__LINE__,"Invalid UDP6_OUT port [$port]")}
if ($config{IPV6_SPI}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p udp -m state --state NEW --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p udp -m state --state NEW --dport $port -j $accept");
} else {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p udp --dport $port -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p udp --dport $port -j $accept");
}
}
}
@@ -1715,21 +1715,21 @@ sub doportfilters {
if ($config{IPV6}) {
if ($config{IPV6_ICMP_STRICT}) {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type packet-too-big -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type time-exceeded -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type parameter-problem -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type echo-request -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type echo-reply -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j $accept");
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type packet-too-big -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type time-exceeded -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type parameter-problem -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type echo-request -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type echo-reply -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j $accept");
} else {
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ethdevin -p icmpv6 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A INPUT $ipv6ethdevin -p icmpv6 -j $accept");
}
- &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p icmpv6 -j $accept");
+ &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ipv6ethdevout -p icmpv6 -j $accept");
# &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type destination-unreachable -j $accept");
# &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type packet-too-big -j $accept");
# &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A OUTPUT $ethdevout -p icmpv6 --icmpv6-type time-exceeded -j $accept");
@@ -2007,6 +2007,13 @@ sub getethdev {
$ethdevin = "-i $config{ETH_DEVICE}";
$ethdevout = "-o $config{ETH_DEVICE}";
}
+ if ($config{IPV6} && $config{IPV6_TUNNEL_DEVICE}) {
+ $ipv6ethdevin = "-i $config{IPV6_TUNNEL_DEVICE}";
+ $ipv6ethdevout = "-o $config{IPV6_TUNNEL_DEVICE}";
+ } else {
+ $ipv6ethdevin = $ethdevin;
+ $ipv6ethdevout = $ethdevout;
+ }
if ($config{ETH_DEVICE} =~ /\+$/) {return}