Merge "Iptables firewall prevent IP spoofed DHCP requests" into stable/mitaka
This commit is contained in:
commit
cddbcdf601
|
@ -381,9 +381,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
mac_ipv6_pairs.append((mac, ip_address))
|
||||
|
||||
def _spoofing_rule(self, port, ipv4_rules, ipv6_rules):
|
||||
# Allow dhcp client packets
|
||||
ipv4_rules += [comment_rule('-p udp -m udp --sport 68 '
|
||||
'-m udp --dport 67 '
|
||||
# Allow dhcp client discovery and request
|
||||
ipv4_rules += [comment_rule('-s 0.0.0.0/32 -d 255.255.255.255/32 '
|
||||
'-p udp -m udp --sport 68 --dport 67 '
|
||||
'-j RETURN', comment=ic.DHCP_CLIENT)]
|
||||
# Drop Router Advts from the port.
|
||||
ipv6_rules += [comment_rule('-p ipv6-icmp -m icmp6 --icmpv6-type %s '
|
||||
|
@ -415,6 +415,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
mac_ipv4_pairs, ipv4_rules)
|
||||
self._setup_spoof_filter_chain(port, self.iptables.ipv6['filter'],
|
||||
mac_ipv6_pairs, ipv6_rules)
|
||||
# Allow dhcp client renewal and rebinding
|
||||
ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 '
|
||||
'-j RETURN', comment=ic.DHCP_CLIENT)]
|
||||
|
||||
def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules):
|
||||
#Note(nati) Drop dhcp packet from VM
|
||||
|
|
|
@ -355,6 +355,9 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||
direction=self.tester.INGRESS)
|
||||
self.tester.assert_no_connection(protocol=self.tester.ICMP,
|
||||
direction=self.tester.EGRESS)
|
||||
self.tester.assert_no_connection(protocol=self.tester.UDP,
|
||||
src_port=68, dst_port=67,
|
||||
direction=self.tester.EGRESS)
|
||||
|
||||
@skip_if_firewall('openvswitch')
|
||||
def test_ip_spoofing_works_without_port_security_enabled(self):
|
||||
|
|
|
@ -158,10 +158,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.PAIR_DROP),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
@ -940,7 +945,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
filter_inst = self.v4filter_inst
|
||||
dhcp_rule = [mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None)]
|
||||
|
||||
if ethertype == 'IPv6':
|
||||
|
@ -1027,6 +1033,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
calls.append(mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None))
|
||||
if ethertype == 'IPv4':
|
||||
calls.append(mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None))
|
||||
calls.append(mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
@ -1195,10 +1205,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.PAIR_DROP),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
@ -1267,10 +1282,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.PAIR_DROP),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
@ -1442,10 +1462,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.PAIR_DROP),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
@ -1516,10 +1541,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.PAIR_DROP),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN',
|
||||
'-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp '
|
||||
'--sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-j $sfake_dev',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 68 --dport 67 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-p udp -m udp --sport 67 -m udp --dport 68 -j DROP',
|
||||
|
|
|
@ -1888,14 +1888,15 @@ IPSET_FILTER_1 = """# Generated by iptables_manager
|
|||
RETURN
|
||||
-I %(bn)s-i_port1 5 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
|
||||
-j RETURN
|
||||
-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 5 -j RETURN
|
||||
-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 6 -j RETURN
|
||||
-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
|
||||
-j RETURN
|
||||
-I %(bn)s-s_port1 2 -j DROP
|
||||
|
@ -1944,14 +1945,15 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_port1 3 -p tcp -m tcp --dport 22 -j RETURN
|
||||
-I %(bn)s-i_port1 4 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_port1 5 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
|
||||
-j RETURN
|
||||
-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 5 -j RETURN
|
||||
-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 6 -j RETURN
|
||||
-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
|
||||
-j RETURN
|
||||
-I %(bn)s-s_port1 2 -j DROP
|
||||
|
@ -2002,14 +2004,15 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_port1 4 -s 10.0.0.4/32 -j RETURN
|
||||
-I %(bn)s-i_port1 5 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \
|
||||
-j RETURN
|
||||
-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 2 -j %(bn)s-s_port1
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 5 -j RETURN
|
||||
-I %(bn)s-o_port1 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_port1 6 -j RETURN
|
||||
-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
|
||||
-j RETURN
|
||||
-I %(bn)s-s_port1 2 -j DROP
|
||||
|
@ -2077,20 +2080,24 @@ IPSET_FILTER_2 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN
|
||||
-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
|
||||
-I %(bn)s-s_%(port1)s 2 -j DROP
|
||||
-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
|
||||
|
@ -2163,20 +2170,24 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
|
||||
-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
|
||||
-I %(bn)s-s_%(port1)s 2 -j DROP
|
||||
-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
|
||||
|
@ -2247,22 +2258,24 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
|
||||
-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \
|
||||
-j RETURN
|
||||
-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \
|
||||
-j RETURN
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
|
||||
-I %(bn)s-s_%(port1)s 2 -j DROP
|
||||
-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
|
||||
|
@ -2332,20 +2345,24 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN
|
||||
-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
|
||||
-I %(bn)s-s_%(port1)s 2 -j DROP
|
||||
-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
|
||||
|
@ -2418,20 +2435,24 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
|
|||
-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN
|
||||
-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \
|
||||
--sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 5 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
|
||||
-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 6 -j RETURN
|
||||
-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP
|
||||
-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback
|
||||
-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN
|
||||
-I %(bn)s-s_%(port1)s 2 -j DROP
|
||||
-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN
|
||||
|
|
Loading…
Reference in New Issue