summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--scripts/firewall/firewall.init.in17
1 files changed, 12 insertions, 5 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index e084fcf..f3b20b6 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -48,20 +48,27 @@ start () {
modprobe --syslog $mod
done
- # set up notrack chains/rules
+ # set up notrack chains/rules for IPv4
# by default, nothing is tracked.
iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -A OUTPUT -j NOTRACK
+
+ # set up notrack chains/rules for IPv6
+ ip6tables -t raw -A PREROUTING -j NOTRACK
+ ip6tables -t raw -A OUTPUT -j NOTRACK
- # set up post-firewall hook
+ # set up post-firewall hook for IPv4
iptables -N VYATTA_POST_FW_HOOK
iptables -A VYATTA_POST_FW_HOOK -j ACCEPT
-
- # enforce strict host matching (see bug 4061)
iptables -A INPUT -j VYATTA_POST_FW_HOOK
-
iptables -A FORWARD -j VYATTA_POST_FW_HOOK
+ # set up post-firewall hook for IPv6
+ ip6tables -N VYATTA_POST_FW_HOOK
+ ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT
+ ip6tables -A INPUT -j VYATTA_POST_FW_HOOK
+ ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK
+
# set up pre-SNAT hook
iptables -t nat -N VYATTA_PRE_SNAT_HOOK
iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 20:23:59 +0000