Bug#596170: arno-iptables-firewall: local ipv6 no longer works

Thu, 09 Sep 2010 03:54:18 -0700 

Better patch attached

On 9/9/2010 12:35, Michael Hanke wrote:

On Thu, Sep 09, 2010 at 11:59:55AM +0200, Arno van Amersfoort wrote:

Should be fixed upstream in 1.9.2m-DEVEL. Thanks for the report.


I am afraid that this fix would also need to get into Debian squeeze.
Could you post the relevant patch to this bug?


Thanks,

Michael




--
Arno van Amersfoort
E-mail    : arn...@rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl

Index: /trunk/bin/arno-iptables-firewall
===================================================================
--- /trunk/bin/arno-iptables-firewall (revision 289)
+++ /trunk/bin/arno-iptables-firewall (revision 295)
@@ -4385,20 +4385,38 @@
   # When IPv4 support is active, disable IPv6 traffic
   if [ "$IPV6_SUPPORT" = "1" ]; then
-    echo "NOTE: IPv6 support enabled, setting default policy for IPv4 to DROP"
+    echo "NOTE: IPv6 support enabled, setting simple default policy for IPv4"
     ip4tables -P INPUT DROP
     ip4tables -P FORWARD DROP
-    ip4tables -P OUTPUT DROP
+    ip4tables -P OUTPUT ACCEPT
-  else
+    
+    ip4tables -A INPUT -i lo -j ACCEPT
+    ip4tables -A FORWARD -i lo -j ACCEPT
+
+    IFS=' ,'
+    for interface in $INT_IF $TRUSTED_IF; do
+      ip4tables -A INPUT -i $interface -j ACCEPT
+    done
+  elif sysctl_key net.ipv6.conf; then
     # IPv6 support available on the system?
-    if sysctl_key net.ipv6.conf; then
-      if [ -x "$IP6TABLES" ]; then
-        echo "NOTE: IPv4 support enabled, setting default policy for IPv6 to 
DROP"
-        ip6tables -P INPUT DROP
-        ip6tables -P FORWARD DROP
-        ip6tables -P OUTPUT DROP
-      else
-        printf "\033[40m\033[1;31mWARNING: IPv4 support enabled, but unable to 
set the default policy\033[0m\n" >&2
-        printf "\033[40m\033[1;31m         for IPv6 to DROP as the 
ip6tables-binary is not available!\033[0m\n" >&2
-      fi
+    if [ -x "$IP6TABLES" ]; then
+      echo "NOTE: IPv4 support enabled, setting simple default policy for IPv6"
+      ip6tables -P INPUT DROP
+      ip6tables -P FORWARD DROP
+      ip6tables -P OUTPUT ACCEPT
+
+      ip6tables -A INPUT -i lo -j ACCEPT
+      ip6tables -A FORWARD -i lo -j ACCEPT
+
+      IFS=' ,'
+      for interface in $INT_IF $TRUSTED_IF; do
+        ip6tables -A INPUT -i $interface -j ACCEPT
+      done
+    else
+      printf "\033[40m\033[1;31mWARNING: IPv4 support enabled, but unable to 
set the default policy\033[0m\n" >&2
+      printf "\033[40m\033[1;31m         for IPv6 to DROP as the 
ip6tables-binary is not available!\033[0m\n" >&2
     fi
   fi






















					Reply via email to