From e751cde8954a09ea32f67a8bf7974b4dc1395f2e Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sun, 9 Apr 2017 14:35:32 +0200 Subject: [PATCH] zones: drop outgoing invalid traffic in masqueraded zones Install conntrack state invalid drop rules to catch outgoing, un-natted traffic in zones with enabled masquerading. Also introduce a new option "masq_allow_invalid" it inhibit this new drop rules. Signed-off-by: Jo-Philipp Wich --- options.h | 1 + zones.c | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/options.h b/options.h index 089242f..6edd174 100644 --- a/options.h +++ b/options.h @@ -304,6 +304,7 @@ struct fw3_zone const char *extra_dest; bool masq; + bool masq_allow_invalid; struct list_head masq_src; struct list_head masq_dest; diff --git a/zones.c b/zones.c index 520d00c..26f6215 100644 --- a/zones.c +++ b/zones.c @@ -66,6 +66,7 @@ const struct fw3_option fw3_zone_opts[] = { FW3_OPT("output", target, zone, policy_output), FW3_OPT("masq", bool, zone, masq), + FW3_OPT("masq_allow_invalid", bool, zone, masq_allow_invalid), FW3_LIST("masq_src", network, zone, masq_src), FW3_LIST("masq_dest", network, zone, masq_dest), @@ -354,6 +355,17 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, if (has(zone->flags, handle->family, t)) { + if (t == FW3_FLAG_ACCEPT && + zone->masq && !zone->masq_allow_invalid) + { + r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID"); + fw3_ipt_rule_comment(r, "Prevent NAT leakage"); + fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]); + fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, + fw3_flag_names[t]); + } + r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_dest); -- 2.11.0