From: Arne Fitzenreiter Date: Sat, 4 Oct 2014 12:18:16 +0000 (+0200) Subject: p2pblock: ipp2p must run before CONNTRACK. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a5b19c56f8593e78906d716afe123a6ff0ee6db;p=people%2Fmfischer%2Fipfire-2.x.git p2pblock: ipp2p must run before CONNTRACK. And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types. --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 4d703825d1..20f97bef0e 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -554,29 +554,19 @@ sub time_convert_to_minutes { } sub p2pblock { - my $search_action; - my $target; - - if ($fwdfwsettings{"POLICY"} eq "MODE1") { - $search_action = "on"; - $target = "ACCEPT"; - } else { - $search_action = "off"; - $target = "DROP"; - } - open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; my @protocols = (); foreach my $p2pentry () { my @p2pline = split(/\;/, $p2pentry); - next unless ($p2pline[2] eq $search_action); + next unless ($p2pline[2] eq "off"); push(@protocols, "--$p2pline[1]"); } close(FILE); if (@protocols) { - run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target"); + run("$IPTABLES -F P2PBLOCK"); + run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP"); } } diff --git a/src/initscripts/init.d/dhcrelay b/src/initscripts/init.d/dhcrelay old mode 100755 new mode 100644 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 66ca432a26..c383652e0b 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -104,6 +104,12 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # P2PBLOCK + iptables -N P2PBLOCK + iptables -A INPUT -j P2PBLOCK + iptables -A FORWARD -j P2PBLOCK + iptables -A OUTPUT -j P2PBLOCK + # Guardian (IPS) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN