Re: [Shorewall-users] NPTv6

Tom Eastep Sat, 07 Jan 2017 12:35:23 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/07/2017 10:19 AM, Luke Jordan wrote:
> Am 07.01.2017 um 18:38 schrieb Tom Eastep:
>>>> Did you add DNPT as a nat builtin action in 
>>>> /etc/shorewall6/actions?
>> 
>> I meant 'mangle' rather than 'nat'.
> 
> sure
> 
> # shorewall6 show actions A_AllowICMPs                        # Audited
> Accept needed ICMP6 types A_Drop                              # Audited
> Default Action for DROP policy allowBcasts                     #
> Accept multicast and anycast packets AllowICMPs
> # Accept needed ICMP6 types allowInvalid inline               # Accepts 
> packets
> in the INVALID conntrack state A_Reject                       # Audited
> Default Action for REJECT policy AutoBLL      noinline           #
> Helper for AutoBL AutoBL       noinline           # Auto-blacklist
> IPs that exceed thesholds Broadcast    noinline       # Handles
> Broadcast/Multicast/Anycast DNPT      builtin,mangle,terminating 
> dropBcasts                      # Silently Drop multicast and
> anycast packets Drop                          # Default Action for DROP 
> policy 
> dropInvalid  inline           # Drops packets in the INVALID conntrack
> state dropNotSyn                      # Silently Drop Non-syn TCP packets 
> DropSmurfs   noinline         # Handles packets with a broadcast
> source address Established  inline,\          # Handles packets in the
> ESTABLISHED state IfEvent      noinline           # Perform an
> action based on an event Invalid      inline,audit,\     # Handles
> packets in the INVALID conntrack state New         inline,state=NEW   #
> Handles packets in the NEW conntrack state NotSyn          inline             
> #
> Handles TCP packets that do not have SYN=1 and ACK=0 Reject
> # Default Action for REJECT policy rejNotSyn                  # Silently
> Reject Non-syn TCP packets Related      inline,\              # Handles 
> packets
> in the RELATED conntrack state ResetEvent   inline            # Reset an
> Event RST          inline             # Handle packets with RST set 
> SetEvent     inline           # Initialize an event SNPT
> builtin,mangle,terminating TCPFlags                           # Handles bad 
> flags
> combinations Untracked    inline,\           # Handles packets in
> the UNTRACKED conntrack state
> 
>>> Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't 
>>> expect IPv6 addresses in the action parameters :-(
>> 
>> 
>> You can work around the problem by fully expressing the IP
>> addresses (e.g., 2001:XXXX:YYYY:100:0:0:0:0/64).
> 
> this workaround show a new problem:
> 
> # shorewall6 start [...] Preparing ip6tables-restore input... 
> Running /sbin/ip6tables-restore ... ip6tables-restore: line 34
> failed ERROR: iptables-restore Failed. Input is in 
> /var/lib/shorewall6/.ip6tables-restore-input Preparing
> ip6tables-restore input... Running /sbin/ip6tables-restore... 
> Terminated
> 
> line 32 is "COMMIT"
> 
> # cat /var/lib/shorewall6/.ip6tables-restore-input # # Generated by
> Shorewall 5.0.14.1 - Sa 7. Jan 19:13:28 CET 2017 # *raw :PREROUTING
> ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT
> [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT 
> *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD
> ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor
> - [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre -
> [0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK
> --set-mark 0/0xff00 -A FORWARD -j tcfor -A OUTPUT -j tcout -A
> POSTROUTING -j tcpost -A tcpre -p 6 -m multiport --dports
> 22,47238,52486 -i eth0 -j MARK --set-mark 768 -A tcpre -i eth0 -j
> MARK --set-mark 512 -A tcpre -i eth0 -j DNPT --src-pfx
> 2001:XXXX:YYYY:100:0:0:0:0/64 --dst-pfx
> fdae:fa7:dead:beef:0:0:0:0/64 -A tcpre -i eth0 -j SNPT --src-pfx
> fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx
> 2001:XXXX:YYYY:100:0:0:0:0/64 COMMIT *filter :INPUT DROP [0:0] 
> :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :AllowICMPs - [0:0] 
> :Broadcast - [0:0] :Reject - [0:0] :cbl-dsl - [0:0] :cbl-fw -
> [0:0] :cbl-int - [0:0] :cbl_frwd - [0:0] :dsl-cbl - [0:0] :dsl-fw -
> [0:0] :dsl-int - [0:0] :dsl_frwd - [0:0] :dynamic - [0:0] :fw-cbl -
> [0:0] :fw-dsl - [0:0] :fw-int - [0:0] :int-cbl - [0:0] :int-dsl -
> [0:0] :int-fw - [0:0] :int_frwd - [0:0] :logdrop - [0:0] :logflags
> - [0:0] :logreject - [0:0] :reject - [0:0] :sfilter - [0:0] 
> :tcpflags - [0:0] :sha-lh-780b52025322fe413b49 - [0:0] 
> :sha-rh-88253ba662f5e71f112e - [0:0] -A INPUT -i eth1 -j dsl-fw -A
> INPUT -i eth2 -j cbl-fw -A INPUT -i eth0 -j int-fw -A INPUT -i lo
> -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-level 6
> --log-prefix "Shorewall:INPUT:REJECT:" -A INPUT -g reject -A
> FORWARD -i eth1 -j dsl_frwd -A FORWARD -i eth2 -j cbl_frwd -A
> FORWARD -i eth0 -j int_frwd -A FORWARD -j Reject -A FORWARD -j LOG
> --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:" -A FORWARD
> -g reject -A OUTPUT -o eth1 -j fw-dsl -A OUTPUT -o eth2 -j fw-cbl 
> -A OUTPUT -o eth0 -j fw-int -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j
> Reject -A OUTPUT -j LOG --log-level 6 --log-prefix
> "Shorewall:OUTPUT:REJECT:" -A OUTPUT -g reject -A AllowICMPs -p 58
> --icmpv6-type 1 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 2 -j ACCEPT -m comment
> --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 3 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 4 -j ACCEPT -m comment
> --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 133 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 134 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 135 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 136 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 137 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 141 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 142 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 130 -j
> ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A
> AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 131 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s
> fe80::/10 -p 58 --icmpv6-type 132 -j ACCEPT -m comment --comment
> "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58
> --icmpv6-type 143 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 148 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
> --icmpv6-type 149 -j ACCEPT -m comment --comment "Needed ICMP types
> (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 151 -j
> ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A
> AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 152 -j ACCEPT -m
> comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s
> fe80::/10 -p 58 --icmpv6-type 153 -j ACCEPT -m comment --comment
> "Needed ICMP types (RFC4890)" -A Broadcast -d 2001:XXXX:YYYY:0:: -j
> DROP -A Broadcast -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j
> DROP -A Broadcast -d 2a02:XXXX:YYYY:f972:: -j DROP -A Broadcast -d
> 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A Broadcast -d
> ff00::/8 -j DROP -A Reject -A Reject -p 58 -j AllowICMPs -A Reject
> -j Broadcast -A Reject -m conntrack --ctstate INVALID -j DROP -A
> Reject -p 17 -m multiport --dports 135,445 -g reject -m comment 
> --comment "SMB" -A Reject -p 17 --dport 137:139 -g reject -m
> comment --comment "SMB" -A Reject -p 17 --dport 1024:65535 --sport
> 137 -g reject -m comment --comment "SMB" -A Reject -p 6 -m
> multiport --dports 135,139,445 -g reject -m comment --comment
> "SMB" -A Reject -p 17 --dport 1900 -j DROP -m comment --comment
> "UPnP" -A Reject -p 6 ! --syn -j DROP -A Reject -p 17 --sport 53 -j
> DROP -m comment --comment "Late DNS Replies" -A cbl-dsl -m
> conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-dsl -j
> Reject -A cbl-dsl -j LOG --log-level 6 --log-prefix
> "Shorewall:cbl-dsl:REJECT:" -A cbl-dsl -g reject -A cbl-fw -m
> conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A cbl-fw -p
> tcp -j tcpflags -A cbl-fw -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT -A cbl-fw -j Reject -A cbl-fw -j LOG
> --log-level 6 --log-prefix "Shorewall:cbl-fw:REJECT:" -A cbl-fw -g
> reject -A cbl-int -m conntrack --ctstate ESTABLISHED,RELATED -j
> ACCEPT -A cbl-int -j Reject -A cbl-int -j LOG --log-level 6
> --log-prefix "Shorewall:cbl-int:REJECT:" -A cbl-int -g reject -A
> cbl_frwd -o eth2 -g sfilter -A cbl_frwd -m conntrack --ctstate
> NEW,INVALID,UNTRACKED -j dynamic -A cbl_frwd -p tcp -j tcpflags -A
> cbl_frwd -o eth1 -j cbl-dsl -A cbl_frwd -o eth0 -j cbl-int -A
> dsl-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
> dsl-cbl -j Reject -A dsl-cbl -j LOG --log-level 6 --log-prefix
> "Shorewall:dsl-cbl:REJECT:" -A dsl-cbl -g reject -A dsl-fw -m
> conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A dsl-fw -p
> tcp -j tcpflags -A dsl-fw -m conntrack --ctstate
> ESTABLISHED,RELATED -j ACCEPT -A dsl-fw -p 58 -j ACCEPT -A dsl-fw
> -j Reject -A dsl-fw -j LOG --log-level 6 --log-prefix
> "Shorewall:dsl-fw:REJECT:" -A dsl-fw -g reject -A dsl-int -m
> conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-int -j
> Reject -A dsl-int -j LOG --log-level 6 --log-prefix
> "Shorewall:dsl-int:REJECT:" -A dsl-int -g reject -A dsl_frwd -o
> eth1 -g sfilter -A dsl_frwd -m conntrack --ctstate
> NEW,INVALID,UNTRACKED -j dynamic -A dsl_frwd -p tcp -j tcpflags -A
> dsl_frwd -o eth2 -j dsl-cbl -A dsl_frwd -o eth0 -j dsl-int -A
> fw-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
> fw-cbl -j LOG --log-level 6 --log-prefix
> "Shorewall:fw-cbl:ACCEPT:" -A fw-cbl -j ACCEPT -A fw-dsl -m
> conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-dsl -j LOG
> --log-level 6 --log-prefix "Shorewall:fw-dsl:ACCEPT:" -A fw-dsl -j
> ACCEPT -A fw-int -m conntrack --ctstate ESTABLISHED,RELATED -j
> ACCEPT -A fw-int -p 58 -j ACCEPT -A fw-int -j LOG --log-level 6
> --log-prefix "Shorewall:fw-int:ACCEPT:" -A fw-int -j ACCEPT -A
> int-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
> int-cbl -j LOG --log-level 6 --log-prefix
> "Shorewall:int-cbl:ACCEPT:" -A int-cbl -j ACCEPT -A int-dsl -m
> conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-dsl -j LOG
> --log-level 6 --log-prefix "Shorewall:int-dsl:ACCEPT:" -A int-dsl
> -j ACCEPT -A int-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j
> dynamic -A int-fw -p tcp -j tcpflags -A int-fw -m conntrack
> --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-fw -j LOG
> --log-level 6 --log-prefix "Shorewall:int-fw:ACCEPT:" -A int-fw -j
> ACCEPT -A int_frwd -o eth0 -g sfilter -A int_frwd -m conntrack
> --ctstate NEW,INVALID,UNTRACKED -j dynamic -A int_frwd -p tcp -j
> tcpflags -A int_frwd -o eth1 -j int-dsl -A int_frwd -o eth2 -j
> int-cbl -A logdrop -j DROP -A logflags -j LOG --log-ip-options
> --log-level 6 --log-prefix "Shorewall:logflags:DROP:" -A logflags
> -j DROP -A logreject -j reject -A reject -d 2001:XXXX:YYYY:0:: -j
> DROP -A reject -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP 
> -A reject -d 2a02:XXXX:YYYY:f972:: -j DROP -A reject -d
> 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A reject -s
> ff00::/8 -j DROP -A reject -p 2 -j DROP -A reject -p 6 -j REJECT
> --reject-with tcp-reset -A reject -p 17 -j REJECT -A reject -p 58
> -j REJECT --reject-with icmp6-addr-unreachable -A reject -j REJECT
> --reject-with icmp6-adm-prohibited -A sfilter -j LOG --log-level 6
> --log-prefix "Shorewall:sfilter:DROP:" -A sfilter -j DROP -A
> tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags -A tcpflags
> -p tcp --tcp-flags ALL NONE -g logflags -A tcpflags -p tcp
> --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp
> --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp
> --tcp-flags SYN,FIN SYN,FIN -g logflags -A tcpflags -p tcp
> --tcp-flags ACK,PSH,FIN PSH,FIN -g logflags -A tcpflags -p tcp
> --syn --sport 0 -g logflags COMMIT
> 
> # dmesg [...] [5944577.629325] xt_addrtype: ipv6 does not support
> BROADCAST matching [5944579.777435] x_tables: ip6_tables: SNPT
> target: used from hooks PREROUTING, but only usable from
> INPUT/POSTROUTING
> 
> the problem is the following line in /etc/shorewall6/mangle:
> 
> IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx 
> 2001:XXXX:YYYY:100:0:0:0:0/64 ):P


That should be :T, not :P

- -Tom
- -- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYcU/YAAoJEJbms/JCOk0QaDEP/jrgUObZDbwZYdVjA4kxHdWV
5MVMrG0CdaViKx2A4NzlhF3I2ITQuZit9ue6uxgZZHYWFIS1lW5szrZ7ZiSnpEqq
Ai/Kxs1PFLXsgY61Ddo881TG1HhJuCjMXF+fAdRtI2UFp1ZlH1MzBwwSRKg44R2E
XqvUUR6Kjy3Q/l55uwGnt870rzy5/4v208jJ/6brMVGK0A3OlXWivjTFHzTIqgId
EpYe+oq8SAC90FAhb2IzgfjGTABIoHiMS20AVHHSW3dMgiDGbfKB1t7wKI3QPghw
dlX3XDgSWJcf8drn6rmZHTpddvcIjW6PLM3v15ugXS4lxUL0L3OrOCQKUEynpHbE
2ETLDwURIN8+a1VKrlBjnmRO/2EPd1WgnGgH40q1H8bYTJXbP8X+0l0e6QEIMd28
1NANWrYhrx1zMoEyK9+rmjGAs5xbaojLOIYQvjCBrvWT5KyNLVJ0E4DI1qk+23Dv
7gO/beKHLBE3iOXVgsvgLc4QZj6aGMNLtOhbV+tc1QJkd0bjV444bt9I9srDmphA
2ICAHhbcgTcUHECeErZk/MOdCMurTpmBeWgJckRYFaBAxmU08zyMBCeWX/tOH/uJ
C5qbiaU3f1LJ8t1n+DmeVKnS/62/jHqLckQb9jEawwZEi88MLUIodgKvbuRXenVv
JuMA5hVcmCRgesLwPIcc
=sa2I
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] NPTv6

Reply via email to