diff options
author | elijah <elijah@riseup.net> | 2014-05-29 01:23:53 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-05-29 15:45:41 -0700 |
commit | 1ef424fcd34d1f3800ffd200be72d775be5a9740 (patch) | |
tree | 9bc540af26c97cb5167b16977aa54ef1be94bb95 /pkg/linux | |
parent | 5eba0d4173ef352ad30d3f04e7d103bce2c202ed (diff) |
unblock local multicast IPs from linux firewall, to allow SSDP and Bonjour/mDNS to work.
Diffstat (limited to 'pkg/linux')
-rwxr-xr-x | pkg/linux/bitmask-root | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 6d296ecf..f1c5c0c3 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -740,6 +740,11 @@ def firewall_start(args): iptables("--insert", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + # log rejected packets to syslog + if DEBUG: + iptables("--insert", BITMASK_CHAIN, "-o", default_device, + "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + # allow traffic to gateways for gateway in gateways: ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway, @@ -750,10 +755,27 @@ def firewall_start(args): ip4tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") if local_network_ipv6: ip6tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") + # block DNS requests to anyone but the service provider or localhost # when we actually route ipv6, we will need dns rules for it too |