diff options
author | Jo-Philipp Wich <jo@mein.io> | 2017-04-09 14:35:32 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2017-04-27 17:10:50 +0200 |
commit | e751cde8954a09ea32f67a8bf7974b4dc1395f2e (patch) | |
tree | 73a4bbbb0097d15a8b47e499122e071f09840003 | |
parent | d596f728e98bf4124de4018e28ecdc8ab070f34c (diff) | |
download | firewall3-e751cde8954a09ea32f67a8bf7974b4dc1395f2e.tar.gz |
zones: drop outgoing invalid traffic in masqueraded zones
Install conntrack state invalid drop rules to catch outgoing, un-natted
traffic in zones with enabled masquerading.
Also introduce a new option "masq_allow_invalid" it inhibit this new
drop rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r-- | options.h | 1 | ||||
-rw-r--r-- | zones.c | 12 |
2 files changed, 13 insertions, 0 deletions
@@ -304,6 +304,7 @@ struct fw3_zone const char *extra_dest; bool masq; + bool masq_allow_invalid; struct list_head masq_src; struct list_head masq_dest; @@ -66,6 +66,7 @@ const struct fw3_option fw3_zone_opts[] = { FW3_OPT("output", target, zone, policy_output), FW3_OPT("masq", bool, zone, masq), + FW3_OPT("masq_allow_invalid", bool, zone, masq_allow_invalid), FW3_LIST("masq_src", network, zone, masq_src), FW3_LIST("masq_dest", network, zone, masq_dest), @@ -354,6 +355,17 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, if (has(zone->flags, handle->family, t)) { + if (t == FW3_FLAG_ACCEPT && + zone->masq && !zone->masq_allow_invalid) + { + r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID"); + fw3_ipt_rule_comment(r, "Prevent NAT leakage"); + fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]); + fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, + fw3_flag_names[t]); + } + r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_dest); |