netscript-2.4 5.5.3 / etc / netscript / ipfilter.conf

#
#
# ipfilter.conf This file contains the functions that contain the firewall
#               and ipfilter configuration. This is an example setup for 
#               IP masquearding
#

# set -x # Uncomment for script debug

# DONT change this!
LOCAL_NET=127.0.0.0/8
LOCAL_IP=127.0.0.1

# Source local ipfilter definitions
IPFILTER_LOCAL="/etc/netscript/ipfilter-local.conf"
[ -f $IPFILTER_LOCAL ] && source $IPFILTER_LOCAL

# Some functions to handle Protocol IP Port tuples

echoParam () {
        local format="$1"
	local IFS='_'
	set -- $2
	eval "echo \"$format\""
}

echoIpPort () {
	local format1="$1"
	local format2="$2"
	local testpar="$3"
	local IFS='_'
	set -- $4
	eval "echo -n \"$format1\""
	eval "if [ -n \"$testpar\" ]; then
		echo \" $format2\"
	fi"
}


# Check and see if a chain exists or not
ipv4_checkChain () {
	if qt $IPTBL -N $1; then
		return 1
	fi
	return 0
}

ipv6_checkChain () {
	if qt $IP6TBL -N $1; then
		return 1
	fi
	return 0
}


# If a chain does not exist, create it
# First arg is the chain name, all the rest are the args and name of the 
# creation function
ipv4_createChain () {
	local CHAIN=$1
	local FN=$2

	shift 2

	if ipv4_checkChain $CHAIN; then
		return 0
	fi

	ipf4_${FN} "$@"
	
}

ipv6_createChain () {
	local CHAIN=$1
	local FN=$2

	shift 2

	if ipv6_checkChain $CHAIN; then
		return 0
	fi

	ipf6_${FN} "$@"	
}



# A function to build a logging chain ( NB:  This does not process timber 
# products )
ipf4_log () {
	local NET
	local LOG_MSG="Def log: $CHAIN"
	local NO_TARG=0

	local F OPTIND=1
	while getopts nl: F; do
		case $F in
		n)	NO_TARG=1;;
		l)	LOG_MSG="$3";;
		esac
	done
	shift $(($OPTIND - 1))
	
	local CHAIN=$1
	if [ -z "$CHAIN" ]; then
		CHAIN=log
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null

	$IPTBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \
		--log-prefix "$LOG_MSG - " \
		--log-tcp-options --log-ip-options \
		-m limit --limit $LOG_MAXRATE/second
	
	if [ $NO_TARG -eq 0 ]; then
		# Catch all packets and DROP/REJECT them
	
		# DROP all ICMP packets as it does not make sense 
		# to reply to these
		$IPTBL -A $CHAIN -p icmp -j DROP
	
		if [ -z "$2" ]; then
			$IPTBL -A $CHAIN -j $LOG_TARGET
		else
			$IPTBL -A $CHAIN -j $2
		fi
	fi

	return 0
}


# A function to filter out Martian source addresses
ipf4_martians () {
	local CHAIN=$1

	if [ -z "$CHAIN" ]; then
		CHAIN=martians
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null

	# Make sure the log chain exists with drop policy
	ipv4_createChain droplog log droplog DROP 
	
	# The source addresses listed here are conservatively 
	# invalid as they are either used as broadcast/multicast
	# destation addresses, a special value in IP stacks, loopback 
	# networks and illegal/ambiguous Classed IP addressing networks.
	#
	# You can add your 'martian/invalid' source address blocks to the 
	# MARTIAN_NETS list in /etc/netscript/network.conf
	
	# Bypass checks for certain netblocks that are internal.
	for NET in $MARTIAN_BYPASS; do
		$IPTBL -A $CHAIN -j RETURN -s $NET
	done

	case $LOG_NOISE in

	yes|YES|Yes)
		# RFC 1918/1627/1597 blocks
 		$IPTBL -A $CHAIN -j droplog -p all  -s 10.0.0.0/8 -d 0/0
		$IPTBL -A $CHAIN -j droplog -p all  -s 172.16.0.0/12 -d 0/0
		$IPTBL -A $CHAIN -j droplog -p all  -s 192.168.0.0/16 -d 0/0
		$IPTBL -A $CHAIN -j droplog -p all  -s 169.254.0.0/16 -d 0/0
		;;

	*)
		# Block all DHCP/BOOTP queries without logging
		$IPTBL -A $CHAIN -j DROP -p udp -s 0.0.0.0 -d 0/0 --dport bootps

		# RFC 1918/1627/1597 blocks
 		$IPTBL -A $CHAIN -j DROP -p all  -s 10.0.0.0/8 -d 0/0
		$IPTBL -A $CHAIN -j DROP -p all  -s 172.16.0.0/12 -d 0/0
		$IPTBL -A $CHAIN -j DROP -p all  -s 192.168.0.0/16 -d 0/0
		$IPTBL -A $CHAIN -j DROP -p all  -s 169.254.0.0/16 -d 0/0
		;;
	esac

	# All ones, all zeroes
	$IPTBL -A $CHAIN -j droplog -p all  -s 0.0.0.0 -d 0/0
	$IPTBL -A $CHAIN -j droplog -p all  -s 255.255.255.255 -d 0/0

	# Loop back addresses
	$IPTBL -A $CHAIN -j droplog -p all  -s 127.0.0.0/8 -d 0/0

	# Multicast source addresses
	$IPTBL -A $CHAIN -j droplog -p all  -s 224.0.0.0/4 -d 0/0

	# RFC 3468 6to4 anycast relays you may want to route to this !
	#$IPTBL -A $CHAIN -j droplog -p all  -s 192.88.99.0/24 -d 0/0

	# IANA reserved blocks (Martians from the gated restricted list
	# - actually impossible/ambiguous classed networks)
	$IPTBL -A $CHAIN -j droplog -p all  -s 0.0.0.0/8 -d 0/0
	# RFC 5736
	$IPTBL -A $CHAIN -j droplog -p all  -s 192.0.0.0/24 -d 0/0
	# RFC 5737 TEST-NET-1 
	$IPTBL -A $CHAIN -j droplog -p all  -s 192.0.2.0/24 -d 0/0
	# RFC 2544 Device Bench mark testing
	$IPTBL -A $CHAIN -j droplog -p all  -s 198.18.0.0/15 -d 0/0
	# RFC 5737 TEST-NET-2 
	$IPTBL -A $CHAIN -j droplog -p all  -s 198.51.100.0/24 -d 0/0
	# RFC 5737 TEST-NET-3 
	$IPTBL -A $CHAIN -j droplog -p all  -s 203.0.113.0/24 -d 0/0
	# RFC 1112, Section 4 Reserved for furture 
	$IPTBL -A $CHAIN -j droplog -p all  -s 240.0.0.0/4 -d 0/0

	# Addtions/other IANA reserved blocks 
	for NET in $MARTIAN_NETS; do
		$IPTBL -A $CHAIN -j droplog -p all -s $NET -d 0/0
	done; unset NET

	return 0
}

# A function to assist with spoof protection when rp_filter is turned
# off.  Very useful with Free S/WAN IPSEC.
ipf4_ingress () {

        local CHAIN=$1
	local IP

        if [ -z "$CHAIN" ]; then
                CHAIN=ingress
        fi

        # Clean out any existing chain
        qt $IPTBL -F $CHAIN
        qt $IPTBL -N $CHAIN

        # Make sure the log chain exists with drop policy
        ipv4_createChain droplog log droplog DROP

        for IP in $INGRESS_IPS; do
                iptables -A $CHAIN  -j droplog -s $IP
        done
}
 
# Another function to assist with spoof protection when rp_filter is turned
# off.  Very useful with Free S/WAN IPSEC.
ipf4_ingrssfwd () {

        local CHAIN=$1
	local NET

        if [ -z "$CHAIN" ]; then
                CHAIN=ingrssfwd
        fi

        # Clean out any existing chain
        qt $IPTBL -F $CHAIN
        qt $IPTBL -N $CHAIN

        # Make sure the log chain exists with drop policy
        ipv4_createChain droplog log droplog DROP

        for NET in $INGRESS_FWD_NETS; do
                iptables -A $CHAIN  -j droplog \
			-s `echoIpPort '$1' '-i $2' '$2' $NET`
        done
}
 
## Create a target for handling portscans as detected by psd module
##
## Not a good idea to drop packets, as psd says everything is a portscan
## when active.
#ipf4_portscan () {
#
#        local CHAIN=$1
#
#        if [ -z "$CHAIN" ]; then
#                CHAIN=portscan
#        fi
#
#        # Clean out any existing chain
#        qt $IPTBL -F $CHAIN
#        qt $IPTBL -N $CHAIN
#        
#	# Make sure the log chain exists with drop policy
#        ipv4_createChain logprtscn log -n -l "PORTSCAN DETECTED" logprtscn DROP
#
#        [ -n "$PORTSCAN_WEIGHT_THRESHOLD" ] \
#                && local OPT_PWT="--psd-weight-threshold $PORTSCAN_WEIGHT_THRESHOLD"
#        [ -n "$PORTSCAN_DELAY_THRESHOLD" ] \
#                && local OPT_PDT="--psd-delay-threshold $PORTSCAN_DELAY_THRESHOLD"
#        [ -n "$PORTSCAN_LOPORTS_WEIGHT" ] \
#                && local OPT_PLPW="--psd-lo-ports-weight $PORTSCAN_LOPORTS_WEIGHT"
#        [ -n "$PORTSCAN_HIPORTS_WEIGHT" ] \
#                && local OPT_PHPW="--psd-hi-ports-weight $PORTSCAN_HIPORTS_WEIGHT"
#
#	$IPTBL -A portscan -j logprtscn -m psd \
#		$OPT_PWT $OPT_PDT $OPT_PLPW $OPT_PHPW
#}

ipf4_smb () {
	local CHAIN=$1
	
	if [ -z "$CHAIN" ]; then
		CHAIN=smb
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null


	# Block SMB/Windows networking to protect Windows boxes and to stop
        # Windows NT doing braindead things with mail, www, etc
        # This also prevents Internet Explorer spraying user logins
        # and passwords everywhere
	# SMB port also blocked for security reasons.
	# If you need to do this, set up IPSEC between windows clients.
        $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn
        $IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport 135
        $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport netbios-ns:netbios-ssn
        $IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport 135
	$IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 -d 0/0 --dport microsoft-ds
	$IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 -d 0/0 --dport microsoft-ds
	$IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0
	$IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport 135 -d 0/0
	$IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport netbios-ns:netbios-ssn -d 0/0
	$IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport 135 -d 0/0
	$IPTBL -A $CHAIN -j REJECT -p tcp -s 0/0 --sport microsoft-ds -d 0/0
	$IPTBL -A $CHAIN -j REJECT -p udp -s 0/0 --sport microsoft-ds -d 0/0
	
}

# A function to control SNMP access on a network
ipf4_snmp () {
	local LOG_CHAIN=$2
	local CHAIN=$1
	local SNMP_IP
	
	if [ -z "$LOG_CHAIN" ]; then
		LOG_CHAIN=log
	fi
	
	if [ -z "$CHAIN" ]; then
		CHAIN=snmp
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv4_createChain log log $LOG_CHAIN

	if [ -z "$SNMP_BLOCK_DEST" ]; then
		local SNMP_BLOCK_DEST="0/0"
	fi
	
	for SNMP_IP in $SNMP_MANAGER_IPS; do
		$IPTBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $SNMP_BLOCK_DEST --dport 161:162
	done;

	$IPTBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $SNMP_BLOCK_DEST --dport 161:162
}

ipf4_icmphost () {
	local CHAIN=$1
	
	if [ -z "$CHAIN" ]; then
		CHAIN=icmphost
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv4_createChain log log
	
	# ICMP - we don't want these
	# Stop ICMP time stamp messages - don't need these
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply

}

ipf4_icmpfwd () {
	local CHAIN=$1
	
	if [ -z "$CHAIN" ]; then
		CHAIN=icmpfwd
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv4_createChain log log
	
	# ICMP - we don't want these
	# Stop ICMP time stamp messages and redirects - don't need these
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type redirect
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-request
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type timestamp-reply
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-request
	$IPTBL -A $CHAIN -j log -p icmp --icmp-type address-mask-reply

}

ipf4_inbrdr () {
	local CHAIN=$1
	local IP DEST SRC

	if [ -z "$CHAIN" ]; then
		CHAIN=inbrdr
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null


	# Create chains if they do not exsist
	ipv4_createChain log log log REJECT
	ipv4_createChain droplog log droplog DROP 
	ipv4_createChain icmpfwd icmpfwd 
	ipv4_createChain martians martians
	
	# Source  blocking
	for SRC in $BLOCKED_INSRC; do
		$IPTBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \
			 -s `echoIpPort '$2' ' --sport $3' '$3' $SRC`
	done; unset SRC
	for SRC in $LOGGED_BLOCKED_INSRC; do
		$IPTBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \
			 -s `echoIpPort '$2' ' --sport $3' '$3' $SRC`
	done; unset SRC
	
	# Get rid of incoming Martians
	$IPTBL -A $CHAIN -j martians

	# Prevent RFC 1918/1627/1597 IP packets from coming in
        # Bypass checks for certain netblocks that are internal.
        for NET in $MARTIAN_BYPASS; do
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12
        done
        if [ -z "$MARTIAN_BYPASS" ]; then
		$IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8
		$IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16
		$IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12
	fi
	
	# Allow icmp/BGP in on out link net
	if [ -n "$LINK_NET" ]; then
		$IPTBL -A $CHAIN -j ACCEPT -p icmp -s $LINK_NET
		$IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET \
			-d $LINK_NET --dport bgp
		$IPTBL -A $CHAIN -j ACCEPT -p tcp -s $LINK_NET --sport bgp \
			-d $LINK_NET --dport 1024:65535 ! --syn

		#$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET \
		#	-d $LINK_NET --dport egp
		#$IPTBL -A $CHAIN -j ACCEPT -p udp -s $LINK_NET --sport egp \
		#	-d $LINK_NET --dport 1024:65535
	fi

        # Get rid of fake packets from our internal source addresses
	for IP in $IP_BLOCKS; do
		$IPTBL -A $CHAIN -j droplog -s $IP
	done; unset IP

	# Destination  blocking
	for DEST in $BLOCKED_INDEST; do
		$IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \
			 -d `echoIpPort '$2' ' --dport $3' '$3' $DEST`
	done; unset DEST
	for DEST in $LOGGED_BLOCKED_INDEST; do
		$IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \
			 -d `echoIpPort '$2' ' --dport $3' '$3' $DEST`
	done; unset DEST
	
	# Get rid of unwanted ICMP packets
	$IPTBL -A $CHAIN -j icmpfwd

	# SNMP control - Prevent SNMP access to our network
	if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
		-o "$SNMP_BLOCK" = "yes" ] ; then
		$IPTBL -A $CHAIN -j log -p udp --dport 161:162 
	fi

	# Block SMB stuff on input interface
	if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
		"$SMB_BLOCK" = "yes" ]; then
		ipv4_createChain smb smb
		$IPTBL -A $CHAIN -j smb
	fi      

	# DNS control - only allow certain machines to do zone transfers
	if [ -n "$DNS_IPS" ]; then
		for IP in $DNS_IPS; do
			$IPTBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain
		done; unset IP
		$IPTBL -A $CHAIN -j log -p tcp --dport domain
	fi

	return 0
}

ipf4_outbrdr () {
	local CHAIN=$1
	local IP DEST SRC
	
	if [ -z "$CHAIN" ]; then
		CHAIN=outbrdr
	fi
	
	# Clean out any existing chain
	$IPTBL -F $CHAIN >& /dev/null
	$IPTBL -N $CHAIN >& /dev/null


	# Create chains if they do not exsist
	ipv4_createChain log log log REJECT
	ipv4_createChain droplog log droplog DROP 
	ipv4_createChain martians martians
	
	# Stop outgoing RFC 1918/1627/1597 packets
        # Bypass checks for certain netblocks that are internal.
        for NET in $MARTIAN_BYPASS; do
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 10.0.0.0/8
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 192.168.0.0/16
		$IPTBL -A $CHAIN -j DROP \! -s "$NET" -d 172.16.0.0/12
        done
        if [ -z "$MARTIAN_BYPASS" ]; then
		$IPTBL -A $CHAIN -j DROP -d 10.0.0.0/8
		$IPTBL -A $CHAIN -j DROP -d 192.168.0.0/16
		$IPTBL -A $CHAIN -j DROP -d 172.16.0.0/12
	fi
	
	# Log and stop certain outgoing traffic
	for DEST in $BLOCKED_OUTDEST; do
		$IPTBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \
			-d `echoIpPort '$2' '--dport $3' '$3' $DEST`
	done; unset DEST
	
	for DEST in $LOGGED_BLOCKED_OUTDEST; do
		$IPTBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \
			-d `echoIpPort '$2' '--dport $3' '$3' $DEST`
	done; unset DEST

	# Block SMB stuff on output interface
	if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
		"$SMB_BLOCK" = "yes" ]; then
		ipv4_createChain smb smb
		$IPTBL -A $CHAIN -j smb
	fi

	# Control Outgoing Source addresses
	local TARGET=${OUT_TARGET:='ACCEPT'}
	for IP in $IP_BLOCKS; do
		$IPTBL -A $CHAIN -j $TARGET -s $IP
	done; unset IP
	$IPTBL -A $CHAIN -j droplog
	
	return 0
}

ipf4_laptopfw () {
	local USAGE="netscript fN ipv4_laptop_fwadj() [-f] [in-chain [out-chain]]"
	local FLUSH=0
	local F OPTIND=1
        while getopts f F; do
                case $F in
		f)
			FLUSH=1	
			;;
		h\?)
			echo 1>&2
			echo "$USAGE" 1>&2
			echo 1>&2
			return 1
                esac
        done
        shift $(($OPTIND - 1))

        local CHAIN_IN="$1"
	local CHAIN_OUT="$2"

	local IN=''
	local OUT=''

        if [ -z "$CHAIN_IN" ]; then
                CHAIN_IN=laptopin
        fi
        if [ -z "$CHAIN_OUT" ]; then
                CHAIN_OUT=laptopout
        fi

        # Clean out any existing chain
        qt $IPTBL -F $CHAIN_IN
        qt $IPTBL -F $CHAIN_OUT
        qt $IPTBL -X $CHAIN_IN
        qt $IPTBL -X $CHAIN_OUT
        
	# Set global variables based on what whereami has found out
	if ! qt type if_laptop_fwdata; then
		return 1
	fi
	if ! if_laptop_fwdata; then
		return 0
	fi

	# Don't do any more if we are just cleaning up
	if [ $FLUSH -gt 0 ]; then
		return 0
	fi

        [ -n "$LAPTOP_IN" ] && qt $IPTBL -N $CHAIN_IN
	[ -n "$LAPTOP_OUT" ] && qt $IPTBL -N $CHAIN_OUT

	# Fill in the chains
        for IN in $LAPTOP_IN; do
		$IPTBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \
			-p `echoParam '$1' "$IN"` \
			-s `echoIpPort '$2' '--dport $3' '$3' "$IN"`
	done
        for OUT in $LAPTOP_OUT; do
		$IPTBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \
			-p `echoParam '$1' "$OUT"` \
			-d `echoIpPort '$2' '--dport $3' '$3' "$OUT"`
	done
}


# IPv6 Functions

# A function to build a logging chain ( NB:  This does not process timber 
# products )
ipf6_log () {
	local NET
	local LOG_MSG="Def log: $CHAIN"
	local NO_TARG=0

	local F OPTIND=1
	while getopts nl: F; do
		case $F in
		n)	NO_TARG=1;;
		l)	LOG_MSG="$3";;
		esac
	done
	shift $(($OPTIND - 1))
	
	local CHAIN=$1
	if [ -z "$CHAIN" ]; then
		CHAIN=log
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	$IP6TBL -A $CHAIN -j LOG --log-level $LOG_LEVEL \
		--log-prefix "$LOG_MSG - " \
		--log-tcp-options --log-ip-options \
		-m limit --limit $LOG_MAXRATE/second
	
	if [ $NO_TARG -eq 0 ]; then
		# Catch all packets and DROP/REJECT them
	
		# DROP all ICMP packets as it does not make sense 
		# to reply to these
		$IP6TBL -A $CHAIN -p icmpv6 -j DROP
	
		if [ -z "$2" ]; then
			$IP6TBL -A $CHAIN -j $IPV6_LOG_TARGET
		else
			$IP6TBL -A $CHAIN -j $2
		fi
	fi

	return 0
}

ipf6_icmphost () {
	local CHAIN=$1
	local TARGET=$2

	if [ -z "$CHAIN" ]; then
	        CHAIN=icmphost
	fi

	if [ -z "$TARGET" ]; then
	        TARGET=${IPV6_ICMPHOST_TARGET:='ACCEPT'}

	fi
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv6_createChain log log
	
	# ICMP - we want these From RFC 4980 Section 4.4
	local TYPE
	# These should be accepted from local network
	for TYPE in destination-unreachable \
		packet-too-big \
		time-exceeded \
		parameter-problem \
		echo-request \
		echo-reply \
		neighbour-solicitation \
		neighbour-advertisement \
		141 \
		142 \
		router-solicitation \
		router-advertisement \
		130 131 132 143 \
		148 149 \
		151 152 153
	do
		$IP6TBL -A $CHAIN -j $TARGET -m limit \
			--limit $IPV6_ICMPHOST_MAXRATE/second \
			-p icmpv6 --icmpv6-type $TYPE
	done
	
	# ICMPv6 - Things we optionally want
	for TYPE in $IPV6_ICMPHOST_OPTIONAL
	do
		$IP6TBL -A $CHAIN -j $TARGET -m limit \
			--limit $IPV6_ICMPHOST_MAXRATE/second \
			-p icmpv6 --icmpv6-type $TYPE
	done
	
	# Accept local DHCPv6 replies
	$IP6TBL -A $CHAIN -j $TARGET -s fe80::/10 \
		-p udp --dport 546
	
	# Log ICMP we don't want
	$IP6TBL -A $CHAIN -p icmpv6 -j log
}

ipf6_icmpfwd () {
	local CHAIN=$1
	local TARGET=$2
	
	if [ -z "$CHAIN" ]; then
		CHAIN=icmpfwd
	fi
	
	if [ -z "$TARGET" ]; then
		TARGET=${IPV6_ICMPFWD_TARGET:='RETURN'}
	fi

	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv6_createChain log log
	
	# ICMP - we want these From RFC 4980 Section 4.4
	local TYPE
	for TYPE in destination-unreachable \
		packet-too-big \
		time-exceeded \
		parameter-problem \
		echo-request \
		echo-reply;
		do
		$IP6TBL -A $CHAIN -j $TARGET -m limit \
			--limit $IPV6_ICMPFWD_MAXRATE/second \
			-p icmpv6 --icmpv6-type $TYPE
	done
	# ICMPv6 - Things we optionally want to forward
	for TYPE in $IPV6_ICMPFWD_OPTIONAL
	do
		$IP6TBL -A $CHAIN -j $TARGET -m limit \
			--limit $IPV6_ICMPFWD_MAXRATE/second \
			-p icmpv6 --icmpv6-type $TYPE
	done
	# ICMP - we don't want these
	# Also stops ICMP time stamp messages and redirects - don't need these
	$IP6TBL -A $CHAIN -j log -p icmpv6
}

# A function to filter out Martian source addresses
ipf6_martians () {
	local CHAIN=$1

	if [ -z "$CHAIN" ]; then
		CHAIN=martians
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	# Make sure the log chain exists with drop policy
	ipv6_createChain droplog log droplog DROP 

	# The source addresses listed here are conservatively 
	# invalid as they are either used as broadcast/multicast
	# destation addresses, a special value in IP stacks, loopback 
	# networks and illegal/ambiguous Classed IP addressing networks.
	#
	# You can add your 'martian/invalid' source address blocks to the 
	# MARTIAN_NETS list in /etc/netscript/network.conf
	
	# Bypass checks for certain netblocks that are internal.
	for NET in $IPV6_MARTIAN_BYPASS; do
		$IP6TBL -A $CHAIN -j RETURN -s $NET
	done

	case $IPV6_LOG_NOISE in
	yes|YES|Yes)
		# RFC 4193 Unique Local Addresses
 		$IP6TBL -A $CHAIN -j droplog -p all  -s fc00::/7 -d ::/0
		# Link local addresses
 		$IP6TBL -A $CHAIN -j droplog -p all  -s fe80::/10 -d ::/0
		;;

	*)
		# RFC 4193 Unique Local Addresses
 		$IP6TBL -A $CHAIN -j DROP -p all  -s fc00::/7 -d ::/0
		# Link local addresses
 		$IP6TBL -A $CHAIN -j DROP -p all  -s fe80::/10 -d ::/0
		;;
	esac

	# All zeroes
	$IP6TBL -A $CHAIN -j droplog -p all  -s :: -d ::/0

	# Loop back address
	$IP6TBL -A $CHAIN -j droplog -p all  -s ::1 -d ::/0

	# Multicast source addresses
	$IP6TBL -A $CHAIN -j droplog -p all  -s ff00::/8 -d ::/0

	# IPv4 Mapped addresses
	$IP6TBL -A $CHAIN -j droplog -p all  -s ::ffff:0:0/96 -d ::/0

	# Documentation addresses
	$IP6TBL -A $CHAIN -j droplog -p all  -s 2001:db8::/32 -d ::/0
	# ORCHID - Overlay Routable Cryptographic Hash Identifiers 
	$IP6TBL -A $CHAIN -j droplog -p all  -s 2001:10::/28 -d ::/0

	# Addtions/other IANA reserved blocks 
	for NET in $IPV6_MARTIAN_NETS; do
		$IP6TBL -A $CHAIN -j droplog -p all -s $NET -d ::/0
	done; unset NET

	return 0
}

ipf6_mrtnshost () {
	local CHAIN=$1

	if [ -z "$CHAIN" ]; then
		CHAIN=mrtnshost
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	# Make sure the martians chain exists
	ipv6_createChain martians martians

	# Divert localhost traffic back to calling chain
	$IP6TBL -A $CHAIN -s fe80::/10 -j RETURN
	$IP6TBL -A $CHAIN -j martians
}

# A function to assist with spoof protection when rp_filter is turned
# off.  Very useful with Free S/WAN IPSEC.
ipf6_ingress () {

        local CHAIN=$1
	local IP

        if [ -z "$CHAIN" ]; then
                CHAIN=ingress
        fi

        # Clean out any existing chain
        qt $IP6TBL -F $CHAIN
        qt $IP6TBL -N $CHAIN

        # Make sure the log chain exists with drop policy
        ipv6_createChain droplog log droplog DROP

        for IP in $IPV6_INGRESS_IPS; do
                $IP6TBL -A $CHAIN  -j droplog -s $IP
        done
}
 
# Another function to assist with spoof protection when rp_filter is turned
# off.  Early Linux IPv6 does not have rp_filter
ipf6_ingrssfwd () {

        local CHAIN=$1
	local NET

        if [ -z "$CHAIN" ]; then
                CHAIN=ingrssfwd
        fi

        # Clean out any existing chain
        qt $IP6TBL -F $CHAIN
        qt $IP6TBL -N $CHAIN

        # Make sure the log chain exists with drop policy
        ipv6_createChain droplog log droplog DROP

        for NET in $IPV6_INGRESS_FWD_NETS; do
                $IP6TBL -A $CHAIN  -j droplog \
			-s `echoIpPort '$1' '-i $2' '$2' $NET`
        done
}
 
ipf6_smb () {
	local CHAIN=$1
	
	if [ -z "$CHAIN" ]; then
		CHAIN=smb
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null


	# Block SMB/Windows networking to protect Windows boxes and to stop
        # Windows NT doing braindead things with mail, www, etc
	# Block CIFS/SMB ports as they are vulnerable
	# If this is needed, configure IPSEC for the connection
	$IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport netbios-ssn -d ::/0
	$IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport netbios-ssn -d ::/0
	$IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport netbios-ssn
	$IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport netbios-ssn
	$IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 --sport microsoft-ds -d ::/0
	$IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 --sport microsoft-ds -d ::/0
	$IP6TBL -A $CHAIN -j REJECT -p tcp -s ::/0 -d ::/0 --dport microsoft-ds
	$IP6TBL -A $CHAIN -j REJECT -p udp -s ::/0 -d ::/0 --dport microsoft-ds
}

# A function to control SNMP access on a network
ipf6_snmp () {
	local LOG_CHAIN=$2
	local CHAIN=$1
	local SNMP_IP
	
	if [ -z "$LOG_CHAIN" ]; then
		LOG_CHAIN=log
	fi
	
	if [ -z "$CHAIN" ]; then
		CHAIN=snmp
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null

	# Create log chain with default target
	ipv6_createChain log log $LOG_CHAIN

	if [ -z "$IPV6_SNMP_BLOCK_DEST" ]; then
		local IPV6_SNMP_BLOCK_DEST="::/0"
	fi
	
	for SNMP_IP in $IPV6_SNMP_MANAGER_IPS; do
		$IP6TBL -A $CHAIN -j ACCEPT -p udp -s $SNMP_IP -d $IPV6_SNMP_BLOCK_DEST --dport 161:162
	done;

	$IP6TBL -A $CHAIN -j $LOG_CHAIN -p udp -s 0/0 -d $IPV6_SNMP_BLOCK_DEST --dport 161:162
}

ipf6_inbrdr () {
	local CHAIN=$1
	local IP DEST SRC

	if [ -z "$CHAIN" ]; then
		CHAIN=inbrdr
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null


	# Create chains if they do not exsist
	ipv6_createChain log log log REJECT
	ipv6_createChain droplog log droplog DROP
	ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN
	ipv6_createChain martians martians
	
	# Source  blocking
	for SRC in $IPV6_BLOCKED_INSRC; do
		$IP6TBL -A $CHAIN -j DROP -p `echoParam '$1' $SRC` \
			 -s `echoIpPort '$2' ' --sport $3' '$3' $SRC`
	done; unset SRC
	for SRC in $IPV6_LOGGED_BLOCKED_INSRC; do
		$IP6TBL -A $CHAIN -j droplog -p `echoParam '$1' $SRC` \
			 -s `echoIpPort '$2' ' --sport $3' '$3' $SRC`
	done; unset SRC
	
	# Get rid of incoming Martians
	$IP6TBL -A $CHAIN -j martians

	# Prevent ULA IP packets from coming in
        # Bypass checks for certain netblocks that are internal.
        for NET in $IPV6_MARTIAN_BYPASS; do
		$IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7
        done
        if [ -z "$IPV6_MARTIAN_BYPASS" ]; then
		$IP6TBL -A $CHAIN -j DROP -d fc00::/7
	fi

	# Allow icmp/BGP in on our link net
	if [ -n "$IPV6_LINK_NET" ]; then
		# Get rid of unwanted ICMP packets
		$IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6 -s $IPV6_LINK_NET
		# Handle icmpfwd target being RETURN.  This also works
		# when target is ACCEPT as chain finishes with a deny
		# log rule
		$IP6TBL -A $CHAIN -j ACCEPT -p icmpv6 -s $IPV6_LINK_NET
		$IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \
			-d $IPV6_LINK_NET --dport bgp
		$IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IPV6_LINK_NET \
			--sport bgp -d $IPV6_LINK_NET --dport 1024:65535 \
			! --syn
	fi

        # Get rid of fake packets from our internal source addresses
	for IP in $IPV6_IP_BLOCKS; do
		$IP6TBL -A $CHAIN -j droplog -s $IP
	done; unset IP

	# Destination  blocking
	for DEST in $IPV6_BLOCKED_INDEST; do
		$IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \
			 -d `echoIpPort '$2' ' --dport $3' '$3' $DEST`
	done; unset DEST
	for DEST in $IPV6_LOGGED_BLOCKED_INDEST; do
		$IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \
			 -d `echoIpPort '$2' ' --dport $3' '$3' $DEST`
	done; unset DEST
	
	# Get rid of unwanted ICMP packets
	$IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6

	# SNMP control - Prevent SNMP access to our network
	if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
		-o "$SNMP_BLOCK" = "yes" ] ; then
		$IP6TBL -A $CHAIN -j log -p udp --dport 161:162 
	fi

	# Block SMB stuff on input interface
	if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
		"$SMB_BLOCK" = "yes" ]; then
		ipv6_createChain smb smb
		$IP6TBL -A $CHAIN -j smb
	fi      

	# DNS control - only allow certain machines to do zone transfers
	if [ -n "$IPV6_DNS_IPS" ]; then
		for IP in $IPV6_DNS_IPS; do
			$IP6TBL -A $CHAIN -j ACCEPT -p tcp -s $IP --dport domain
		done; unset IP
		$IP6TBL -A $CHAIN -j log -p tcp --dport domain
	fi

	return 0
}

ipf6_outbrdr () {
	local CHAIN=$1
	local IP DEST SRC
	
	if [ -z "$CHAIN" ]; then
		CHAIN=outbrdr
	fi
	
	# Clean out any existing chain
	$IP6TBL -F $CHAIN >& /dev/null
	$IP6TBL -N $CHAIN >& /dev/null


	# Create chains if they do not exsist
	ipv6_createChain log log log REJECT
	ipv6_createChain droplog log droplog DROP 
	ipv6_createChain icmpbrdr icmpfwd icmpbrdr RETURN
	ipv6_createChain martians martians
	
	# Stop outgoing ULA
        # Bypass checks for certain netblocks that are internal.
        for NET in $IPV6_MARTIAN_BYPASS; do
		$IP6TBL -A $CHAIN -j DROP \! -s "$NET" -d fc00::/7
        done
        if [ -z "$IPV6_MARTIAN_BYPASS" ]; then
		$IP6TBL -A $CHAIN -j DROP -d fc00::/7
	fi

	# Drop unwanted outgoing ICMP
 	$IP6TBL -A $CHAIN -j icmpbrdr -p icmpv6
	
	# Log and stop certain outgoing traffic
	for DEST in $IPV6_BLOCKED_OUTDEST; do
		$IP6TBL -A $CHAIN -j REJECT -p `echoParam '$1' $DEST` \
			-d `echoIpPort '$2' '--dport $3' '$3' $DEST`
	done; unset DEST
	
	for DEST in $IPV6_LOGGED_BLOCKED_OUTDEST; do
		$IP6TBL -A $CHAIN -j log -p `echoParam '$1' $DEST` \
			-d `echoIpPort '$2' '--dport $3' '$3' $DEST`
	done; unset DEST

	# Block SMB stuff on output interface
	if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
		"$SMB_BLOCK" = "yes" ]; then
		ipv6_createChain smb smb
		$IP6TBL -A $CHAIN -j smb
	fi

	# Control Outgoing Source addresses
	local TARGET=${IPV6_OUT_TARGET:="ACCEPT"}
	for IP in $IPV6_IP_BLOCKS; do
		$IP6TBL -A $CHAIN -j $TARGET -s $IP
	done; unset IP
	$IP6TBL -A $CHAIN -j droplog
	
	return 0
}

ipf6_laptopfw () {
	local USAGE="netscript fN ipv6_laptop_fwadj() [-f] [in-chain [out-chain]]"
	local FLUSH=0
	local F OPTIND=1
        while getopts f F; do
                case $F in
		f)
			FLUSH=1	
			;;
		h\?)
			echo 1>&2
			echo "$USAGE" 1>&2
			echo 1>&2
			return 1
                esac
        done
        shift $(($OPTIND - 1))

        local CHAIN_IN="$1"
	local CHAIN_OUT="$2"

	local IN=''
	local OUT=''

        if [ -z "$CHAIN_IN" ]; then
                CHAIN_IN=laptopin
        fi
        if [ -z "$CHAIN_OUT" ]; then
                CHAIN_OUT=laptopout
        fi

        # Clean out any existing chain
        qt $IP6TBL -F $CHAIN_IN
        qt $IP6TBL -F $CHAIN_OUT
        qt $IP6TBL -X $CHAIN_IN
        qt $IP6TBL -X $CHAIN_OUT
        
	# Set global variables based on what whereami has found out
	if ! qt type if_laptop_fwdata; then
		return 1
	fi
	if ! if_laptop_fwdata; then
		return 0
	fi

	# Don't do any more if we are just cleaning up
	if [ $FLUSH -gt 0 ]; then
		return 0
	fi

        [ -n "$IPV6_LAPTOP_IN" ] && qt $IP6TBL -N $CHAIN_IN
	[ -n "$IPV6_LAPTOP_OUT" ] && qt $IP6TBL -N $CHAIN_OUT

	# Fill in the chains
        for IN in $IPV6_LAPTOP_IN; do
		$IP6TBL -A $CHAIN_IN -j ACCEPT -m state --state NEW \
			-p `echoParam '$1' "$IN"` \
			-s `echoIpPort '$2' '--dport $3' '$3' "$IN"`
	done
        for OUT in $IPV6_LAPTOP_OUT; do
		$IP6TBL -A $CHAIN_OUT -j ACCEPT -m state --state NEW \
			-p `echoParam '$1' "$OUT"` \
			-d `echoIpPort '$2' '--dport $3' '$3' "$OUT"`
	done
}