-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
61 lines (55 loc) · 3.24 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
+----------------------------------------------+
| carbfw6 version 0.1 |
| by [email protected] |
+----------------------------------------------+
1. Purpose
This script was started to generate ip6tables rules for hosts and the current
release more or less supports this. However there is a section that controls
routing and this is mainly for the purpose of handling minor forwarding
filtering with regards to virtual machines and filtering the routes between
their private networks.
2. Configuration & Defaults
Currently the script uses variables at the beginning of the script to control
it's behavior. Editing of these variables changes sections of the resulting
rules.
2.1 Control variables
These variables enable and disable different code blocks. They can be set as
on with the value of "1", any other value disables them.
* flush - enables a code block to remove the current iptables rules and
tables.
* mobile - enables rules to allow the transit of Mobile IPv6 related ICMP
packets
* backup - enables code to backup your current ip6tables rules, restorable
with ip6tables-restore <filename>
* r_enable - enables the iptables that go into the FORWARD table
* r_stateful - enables a rule to statefully allow returning packets
2.2 Host variables
These variables influence and provide data and settings for various parts of
the host oriented ip6tables rule generation. These sections describe what
format the script will expect in the variable.
* backup_file - variable sets the location of the ip6tables-save output
* ip6t - the variable that stores the ip6tables location/flags/command
* localPrefix - An array that stores all the network prefixes you would
consider to be local and implicitly trusted
* internetPrefix - an array storing public prefixes so that packets sourced
from these IPs can be considered local as well
* localPorts - ports to accept from hosts in the networks specified in the
previous two variables. The ports are specified in the /etc/services
standard of <port number>/<transport protocol> and seperated by spaces.
* publicPorts - ports to accept from the big wide internets.
2.3 Routing variables
These variables control various behaviors within the routing rules generation
subsystem.
* r_blockPorts - specifies ports to block while crossing the FORWARD table
using the /etc/services format specified in earlier configuration parameters
* r_interf - specifies directional allowed transit paths between interfaces
while crossing the FORWARD table. Combinations are specified by a custom
standard of [source interface]>[destination interface] and seperated by
spaces. If r_stateful is enabled packets can return to their source network
without an explicitly specified return path in this section.
3. Development
Please bear in mind this is an early development release. If you find any
bugs, have any ideas, or have coded any features, please send them back to
the maintainer. This script may also see major changes in the future;
backwards compatability is likely to be a rare luxury.
The current maintainer of this script is CarbonLifeForm<at>psych0tik.net