## Ping needs inspecting on a host-by-host basis.
for type in echo-request echo-reply; do
run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN
+ run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN
done
-## Certainly don't allow ping to broadcast addresses.
-run iptables -A check-icmp -g forbidden \
- -p icmp --icmp-type echo-request \
- -m addrtype --dst-type BROADCAST
+## Certainly don't allow ping to broadcast or multicast addresses.
+case $forward in
+ 1)
+ run iptables -A FORWARD -g forbidden \
+ -p icmp --icmp-type echo-request \
+ -m addrtype --dst-type BROADCAST
+ run iptables -A FORWARD -g forbidden \
+ -p icmp --icmp-type echo-request \
+ -d 224.0.0.0/8
+ run ip6tables -A FORWARD -g forbidden \
+ -p icmpv6 --icmpv6-type echo-request \
+ -d ff00::/16
+ ;;
+esac
m4_divert(58)m4_dnl
## Other ICMP is basically benign, we claim.
-run iptables -A check-icmp -j ACCEPT
+run ip46tables -A check-icmp -j ACCEPT
## Done.
for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
+ -p icmpv6 --icmpv6-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
+ -p icmpv6 --icmpv6-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
~mdw / firewall / commitdiff