From 2a5b19c56f8593e78906d716afe123a6ff0ee6db Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 4 Oct 2014 14:18:16 +0200 Subject: [PATCH] p2pblock: ipp2p must run before CONNTRACK. And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types. --- config/firewall/rules.pl | 16 +++------------- src/initscripts/init.d/dhcrelay | 0 src/initscripts/init.d/firewall | 6 ++++++ 3 files changed, 9 insertions(+), 13 deletions(-) mode change 100755 => 100644 src/initscripts/init.d/dhcrelay diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 4d703825d1..20f97bef0e 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -554,29 +554,19 @@ sub time_convert_to_minutes { } sub p2pblock { - my $search_action; - my $target; - - if ($fwdfwsettings{"POLICY"} eq "MODE1") { - $search_action = "on"; - $target = "ACCEPT"; - } else { - $search_action = "off"; - $target = "DROP"; - } - open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; my @protocols = (); foreach my $p2pentry () { my @p2pline = split(/\;/, $p2pentry); - next unless ($p2pline[2] eq $search_action); + next unless ($p2pline[2] eq "off"); push(@protocols, "--$p2pline[1]"); } close(FILE); if (@protocols) { - run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target"); + run("$IPTABLES -F P2PBLOCK"); + run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP"); } } diff --git a/src/initscripts/init.d/dhcrelay b/src/initscripts/init.d/dhcrelay old mode 100755 new mode 100644 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 66ca432a26..c383652e0b 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -104,6 +104,12 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # P2PBLOCK + iptables -N P2PBLOCK + iptables -A INPUT -j P2PBLOCK + iptables -A FORWARD -j P2PBLOCK + iptables -A OUTPUT -j P2PBLOCK + # Guardian (IPS) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN -- 2.39.5