From d5cca28c3050bdf0222508f62827c13909944611 Mon Sep 17 00:00:00 2001 From: Niels Werensteijn Date: Fri, 21 Oct 2016 18:18:43 +0200 Subject: [PATCH] fix ipv6 examples (fragment issues) and use new match --- examples/complex/create-fw.sh | 10 +++++----- examples/complex/delete-fw.sh | 8 ++++---- examples/simple/create-fw.sh | 4 +++- examples/simple/delete-fw.sh | 4 +++- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/examples/complex/create-fw.sh b/examples/complex/create-fw.sh index 676a0ab..e4953e8 100755 --- a/examples/complex/create-fw.sh +++ b/examples/complex/create-fw.sh @@ -11,10 +11,12 @@ if [ "$1" == "4" ] then IPTABLES=iptables IPFAMILY=inet + FRAGMENT_FLAG="! -f " elif [ "$1" == "6" ] then IPTABLES=ip6tables IPFAMILY=inet6 + FRAGMENT_FLAG="" else echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; exit -1 @@ -32,7 +34,6 @@ sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZING sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZED sudo ${IPTABLES} -N TS3_TCP_TRAFFIC sudo ${IPTABLES} -N TS3_ACCEPT_AUTHORIZING -sudo ${IPTABLES} -N TS3_UPDATE_AUTHORIZED sudo ${IPTABLES} -N OUT_TS3 sudo ${IPTABLES} -N OUT_TS3_AUTHORIZING sudo ${IPTABLES} -N OUT_TS3_AUTHORIZED @@ -54,7 +55,7 @@ sudo ${IPTABLES} -t raw -A PREROUTING -p udp --dport 9987 -j CT --notrack sudo ${IPTABLES} -t raw -A OUTPUT -p udp --sport 9987 -j CT --notrack #move ts3 traffic to TS3_UDP_TRAFFIC chain (do not allow fragments) -sudo ${IPTABLES} -A INPUT -p udp --dport 9987 \! -f -j TS3_UDP_TRAFFIC +sudo ${IPTABLES} -A INPUT -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC #move filetransfer to TS3_TCP_TRAFFIC chain sudo ${IPTABLES} -A INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC @@ -94,7 +95,7 @@ sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -p tcp --syn -m connlimit --connlimit-above sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j ACCEPT #watch server->client traffic -sudo ${IPTABLES} -A OUTPUT -p udp --sport 9987 \! -f -j OUT_TS3 +sudo ${IPTABLES} -A OUTPUT -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 #Move clients in the authorized phase to the OUT_TS3_AUTHORIZED chain. sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorized${1} dst,dst -j OUT_TS3_AUTHORIZED @@ -104,8 +105,7 @@ sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorizing${1} dst,dst -j OU sudo ${IPTABLES} -A OUT_TS3 -j ACCEPT #Is this still ts3init (not fully connected) -#This is done by matching TS3INIT headers on SERVER packets -sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -m u32 --u32 "0>>22&0x3C@8=0x54533349 && 0>>22&0x3C@12=0x4E495431" -j ACCEPT +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -p udp -m ts3init --server -j ACCEPT #else this connection is accepeted(authorized) now sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -j OUT_TS3_ACCEPT_AUTHORIZED diff --git a/examples/complex/delete-fw.sh b/examples/complex/delete-fw.sh index 73e6f49..e434349 100755 --- a/examples/complex/delete-fw.sh +++ b/examples/complex/delete-fw.sh @@ -3,9 +3,11 @@ if [ "$1" == "4" ] then IPTABLES=iptables + FRAGMENT_FLAG="! -f " elif [ "$1" == "6" ] then IPTABLES=ip6tables + FRAGMENT_FLAG="" else echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; exit -1 @@ -14,16 +16,15 @@ fi #clear up ${IPTABLES} sudo ${IPTABLES} -t raw -D PREROUTING -p udp --dport 9987 -j CT --notrack sudo ${IPTABLES} -t raw -D OUTPUT -p udp --sport 9987 -j CT --notrack -sudo ${IPTABLES} -D INPUT -p udp --dport 9987 \! -f -j TS3_UDP_TRAFFIC +sudo ${IPTABLES} -D INPUT -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC sudo ${IPTABLES} -D INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC -sudo ${IPTABLES} -D OUTPUT -p udp --sport 9987 \! -f -j OUT_TS3 +sudo ${IPTABLES} -D OUTPUT -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 sudo ${IPTABLES} -F TS3_UDP_TRAFFIC sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZING sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZED sudo ${IPTABLES} -F TS3_TCP_TRAFFIC sudo ${IPTABLES} -F TS3_ACCEPT_AUTHORIZING -sudo ${IPTABLES} -F TS3_UPDATE_AUTHORIZED sudo ${IPTABLES} -F OUT_TS3 sudo ${IPTABLES} -F OUT_TS3_AUTHORIZING sudo ${IPTABLES} -F OUT_TS3_AUTHORIZED @@ -34,7 +35,6 @@ sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZING sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZED sudo ${IPTABLES} -X TS3_TCP_TRAFFIC sudo ${IPTABLES} -X TS3_ACCEPT_AUTHORIZING -sudo ${IPTABLES} -X TS3_UPDATE_AUTHORIZED sudo ${IPTABLES} -X OUT_TS3 sudo ${IPTABLES} -X OUT_TS3_AUTHORIZING sudo ${IPTABLES} -X OUT_TS3_AUTHORIZED diff --git a/examples/simple/create-fw.sh b/examples/simple/create-fw.sh index 569408d..474358b 100755 --- a/examples/simple/create-fw.sh +++ b/examples/simple/create-fw.sh @@ -5,10 +5,12 @@ if [ "$1" == "4" ] then IPTABLES=iptables IPFAMILY=inet + FRAGMENT_FLAG="! -f " elif [ "$1" == "6" ] then IPTABLES=ip6tables IPFAMILY=inet6 + FRAGMENT_FLAG="" else echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; exit -1 @@ -36,7 +38,7 @@ RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME} sudo ${IPTABLES} -t raw -A PREROUTING -p udp --dport 9987 -j CT --notrack #move ts3 traffic to TS3_TRAFFIC chain (do not allow fragments) -sudo ${IPTABLES} -A INPUT -p udp --dport 9987 \! -f -j TS3_UDP_TRAFFIC +sudo ${IPTABLES} -A INPUT -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC #move filetransfer to TCP chain sudo ${IPTABLES} -A INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC diff --git a/examples/simple/delete-fw.sh b/examples/simple/delete-fw.sh index b86294c..2159465 100755 --- a/examples/simple/delete-fw.sh +++ b/examples/simple/delete-fw.sh @@ -3,9 +3,11 @@ if [ "$1" == "4" ] then IPTABLES=iptables + FRAGMENT_FLAG="! -f " elif [ "$1" == "6" ] then IPTABLES=ip6tables + FRAGMENT_FLAG="" else echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; exit -1 @@ -13,7 +15,7 @@ fi #clear up ${IPTABLES} sudo ${IPTABLES} -t raw -D PREROUTING -p udp --dport 9987 -j CT --notrack -sudo ${IPTABLES} -D INPUT -p udp --dport 9987 \! -f -j TS3_UDP_TRAFFIC +sudo ${IPTABLES} -D INPUT -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC sudo ${IPTABLES} -D INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC sudo ${IPTABLES} -F TS3_UDP_TRAFFIC