Commit b5d29401 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files

never drop connection-related essential ICMP errors

Otherwise, e.g. the filter rule in the adp-routing policy would drop
'destination unreachable' messages destined from WAN to private
addresses.

ref #9647
parent 73c7768e
--[[
Filter module for Alpine Wall
Copyright (C) 2012-2020 Kaarle Ritvanen
Copyright (C) 2012-2021 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -437,17 +437,25 @@ local function stateful(config)
local er = combinations(
fchains,
{{match='-m conntrack --ctstate ESTABLISHED'}}
{
{match='-m conntrack --ctstate ESTABLISHED', target='ACCEPT'},
{
match='-p icmp -m conntrack --ctstate RELATED',
target='icmp-routing'
}
}
)
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
for _, chain in ipairs{'INPUT', 'OUTPUT'} do
table.insert(
er, {chain=chain, match='-'..chain:sub(1, 1):lower()..' lo'}
er,
{
chain=chain,
match='-'..chain:sub(1, 1):lower()..' lo',
target='ACCEPT'
}
)
end
extend(
res,
combinations(er, {{family=family, table='filter', target='ACCEPT'}})
)
extend(res, combinations(er, {{family=family, table='filter'}}))
-- TODO avoid creating unnecessary CT rules by inspecting the
-- filter rules' target families and chains
......
......@@ -8930,6 +8930,7 @@ hash:net family inet
:logpass-98 - [0:0]
:logpass-99 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD
-A FORWARD -j logaccept-0
......@@ -10090,6 +10091,7 @@ hash:net family inet
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT
......@@ -10803,6 +10805,7 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT
......@@ -12572,6 +12575,7 @@ COMMIT
:logpass-92 - [0:0]
:logpass-93 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD
-A FORWARD -j logaccept-0
......@@ -12872,6 +12876,7 @@ COMMIT
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT
......@@ -13057,6 +13062,7 @@ COMMIT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT
......
......@@ -761,6 +761,7 @@
:logpass-98 - [0:0]
:logpass-99 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD
-A FORWARD -j logaccept-0
......@@ -1921,6 +1922,7 @@
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT
......@@ -2634,6 +2636,7 @@
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT
......
......@@ -243,6 +243,7 @@
:logpass-92 - [0:0]
:logpass-93 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD
-A FORWARD -j logaccept-0
......@@ -543,6 +544,7 @@
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT
......@@ -728,6 +730,7 @@
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT
......
......@@ -472,6 +472,7 @@ hash:net family inet
:custom:foo - [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
-A FORWARD -i eth0 -j ACCEPT
......@@ -530,12 +531,14 @@ hash:net family inet
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -m limit --limit 12/minute -j ULOG
......@@ -594,6 +597,7 @@ COMMIT
:custom:foo - [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -j custom:foo
-A FORWARD -i eth0 -j ACCEPT
......@@ -626,12 +630,14 @@ COMMIT
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s fc00::/7 -j custom:foo
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -j ACCEPT
......
......@@ -6,6 +6,7 @@
:custom:foo - [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -j custom:foo
-A FORWARD -i eth0 -j ACCEPT
......@@ -64,12 +65,14 @@
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s 10.0.0.0/12 -j custom:foo
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -m limit --limit 12/minute -j ULOG
......
......@@ -6,6 +6,7 @@
:custom:foo - [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -j custom:foo
-A FORWARD -i eth0 -j ACCEPT
......@@ -38,12 +39,14 @@
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s fc00::/7 -j custom:foo
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -j ACCEPT
......
......@@ -458,6 +458,7 @@ hash:net family inet
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -514,11 +515,13 @@ hash:net family inet
-A awall-INPUT -j TEE --gateway 10.0.0.1
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmp -j awall-icmp-routing
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
-A awall-OUTPUT -j ACCEPT
......@@ -600,6 +603,7 @@ COMMIT
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -630,11 +634,13 @@ COMMIT
-A awall-INPUT -j TEE --gateway fc00::2
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmpv6 -j ACCEPT
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
......
......@@ -11,6 +11,7 @@
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -67,11 +68,13 @@
-A awall-INPUT -j TEE --gateway 10.0.0.1
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmp -j awall-icmp-routing
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
-A awall-OUTPUT -j ACCEPT
......
......@@ -11,6 +11,7 @@
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -41,11 +42,13 @@
-A awall-INPUT -j TEE --gateway fc00::2
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmpv6 -j ACCEPT
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -p icmp -m conntrack --ctstate RELATED -j awall-icmp-routing
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
......
......@@ -472,6 +472,7 @@ hash:net family inet
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
......@@ -531,6 +532,7 @@ hash:net family inet
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
......@@ -539,6 +541,7 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
......@@ -595,6 +598,7 @@ COMMIT
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
......@@ -626,12 +630,14 @@ COMMIT
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
......
......@@ -5,6 +5,7 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
......@@ -64,6 +65,7 @@
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
......@@ -72,6 +74,7 @@
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
......
......@@ -5,6 +5,7 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
......@@ -36,12 +37,14 @@
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
......
......@@ -106139,6 +106139,7 @@ hash:net family inet
-A FORWARD -j logdrop-2201
-A FORWARD -j logdrop-2200
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-0
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-1
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-2
......@@ -110485,6 +110486,7 @@ hash:net family inet
-A INPUT -j logdrop-2201
-A INPUT -j logdrop-2200
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logaccept-final-0
......@@ -114780,6 +114782,7 @@ hash:net family inet
-A OUTPUT -j logdrop-2201
-A OUTPUT -j logdrop-2200
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j logdrop-0
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j logdrop-1
......@@ -153359,6 +153362,7 @@ COMMIT
-A FORWARD -j logdrop-2201
-A FORWARD -j logdrop-2200
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-0
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-1
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-2
......@@ -157679,6 +157683,7 @@ COMMIT
-A INPUT -j logdrop-2201
-A INPUT -j logdrop-2200
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logaccept-final-0
......@@ -161974,6 +161979,7 @@ COMMIT
-A OUTPUT -j logdrop-2201
-A OUTPUT -j logdrop-2200
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j logdrop-0
-A OUTPUT -o eth1 -d fc00::/7 -j logdrop-1
......@@ -10442,6 +10442,7 @@
-A FORWARD -j logdrop-2201
-A FORWARD -j logdrop-2200
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-0
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-1
-A FORWARD -o eth1 -d 10.0.0.0/12 -j logdrop-2
......@@ -14788,6 +14789,7 @@
-A INPUT -j logdrop-2201
-A INPUT -j logdrop-2200
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logaccept-final-0
......@@ -19083,6 +19085,7 @@
-A OUTPUT -j logdrop-2201
-A OUTPUT -j logdrop-2200
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j logdrop-0
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j logdrop-1
......@@ -10442,6 +10442,7 @@
-A FORWARD -j logdrop-2201
-A FORWARD -j logdrop-2200
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-0
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-1
-A FORWARD -o eth1 -d fc00::/7 -j logdrop-2
......@@ -14762,6 +14763,7 @@
-A INPUT -j logdrop-2201
-A INPUT -j logdrop-2200
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logaccept-final-0
......@@ -19057,6 +19059,7 @@
-A OUTPUT -j logdrop-2201
-A OUTPUT -j logdrop-2200
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j logdrop-0
-A OUTPUT -o eth1 -d fc00::/7 -j logdrop-1
......@@ -725,6 +725,7 @@ hash:net family inet
:logpass-2 - [0:0]
:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
......@@ -805,6 +806,7 @@ hash:net family inet
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
......@@ -834,6 +836,7 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
......@@ -948,6 +951,7 @@ COMMIT
:logpass-1 - [0:0]
:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
......@@ -1001,6 +1005,7 @@ COMMIT
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
......@@ -1029,6 +1034,7 @@ COMMIT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
......
......@@ -18,6 +18,7 @@
:logpass-2 - [0:0]
:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
......@@ -98,6 +99,7 @@
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
......@@ -127,6 +129,7 @@
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
......
......@@ -17,6 +17,7 @@
:logpass-1 - [0:0]
:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
......@@ -70,6 +71,7 @@
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
......@@ -98,6 +100,7 @@
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
......
......@@ -526,6 +526,7 @@ hash:net family inet
:logtarpit-0 - [0:0]
:tarpit - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -588,6 +589,7 @@ hash:net family inet
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j ACCEPT
......@@ -599,6 +601,7 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
......@@ -672,6 +675,7 @@ COMMIT
:logtarpit-0 - [0:0]
:tarpit - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -708,6 +712,7 @@ COMMIT
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j ACCEPT
......@@ -719,6 +724,7 @@ COMMIT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment