matthias/panda_linux
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Switch VPN back to UDP, update firewall, make VPN use CRL

Browse Source
This commit is contained in:
Matthias Blankertz
2014-04-14 14:24:45 +02:00
parent ddf69d035d
commit f7f1de4bf5
4 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
overlay/etc/firewall.sh
View File

@@ -92,7 +92,9 @@ iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT
# Allow services such as ssh (can be disabled)
iptables -A INPUT -p tcp -m multiport --dports ssh,1194 -j ACCEPT -m state --state NEW
iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW
iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW
# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
@@ -177,7 +179,8 @@ ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh and openvpn access
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp -m multiport --dports ssh,1194 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp --dport ssh -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p udp --dport 1194 -m state --state NEW -j ACCEPT
# Allow useful ICMPv6
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -m state --state NEW -j ACCEPT
@@ -187,9 +190,15 @@ ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m state -
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m state --state NEW -j ACCEPT
# Allow ARPv6
# Allow NDP
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT
ip6tables -N NoRouterAdv
ip6tables -A OUTPUT -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv # Protect from misconfiguration (we are not a router)
ip6tables -A FORWARD -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv
ip6tables -A NoRouterAdv -j LOG --log-prefix "NORADV6 "
ip6tables -A NoRouterAdv -j DROP
ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 "
ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 "