chiark / gitweb /
~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
local.m4: Filter out source routing in the firewall.
[firewall] / local.m4
diff --git a/local.m4 b/local.m4
index c16f94eefe9f0ca6ff90009f88ad506ef8c63abc..821cea93e145b445254bda9f0f15e3c1cf761f9a 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -354,6 +354,23 @@ case $forward in
     ;;
 esac
 
+m4_divert(82)m4_dnl
+###--------------------------------------------------------------------------
+### Check for source routing.
+
+clearchain check-srcroute
+
+run iptables -A check-srcroute -g forbidden \
+    -m ipv4options --any --flags lsrr,ssrr
+run ip6tables -A check-srcroute -g forbidden \
+    -m rt
+
+for c in INPUT FORWARD; do
+  for m in $from_scary $from_untrusted; do
+    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
+  done
+done
+
 m4_divert(84)m4_dnl
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
Firewall scripts for distorted.org.uk.