summaryrefslogtreecommitdiff
path: root/pkg/linux/bitmask-root
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-05-29 01:23:53 -0700
committerelijah <elijah@riseup.net>2014-05-29 15:45:41 -0700
commit1ef424fcd34d1f3800ffd200be72d775be5a9740 (patch)
tree9bc540af26c97cb5167b16977aa54ef1be94bb95 /pkg/linux/bitmask-root
parent5eba0d4173ef352ad30d3f04e7d103bce2c202ed (diff)
unblock local multicast IPs from linux firewall, to allow SSDP and Bonjour/mDNS to work.
Diffstat (limited to 'pkg/linux/bitmask-root')
-rwxr-xr-xpkg/linux/bitmask-root22
1 files changed, 22 insertions, 0 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 6d296ecf..f1c5c0c3 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -740,6 +740,11 @@ def firewall_start(args):
iptables("--insert", BITMASK_CHAIN, "-o", default_device,
"--jump", "REJECT")
+ # log rejected packets to syslog
+ if DEBUG:
+ iptables("--insert", BITMASK_CHAIN, "-o", default_device,
+ "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+
# allow traffic to gateways
for gateway in gateways:
ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway,
@@ -750,10 +755,27 @@ def firewall_start(args):
ip4tables("--insert", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip4tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+ "-o", default_device, "--jump", "ACCEPT")
+ # allow multicast Bonjour/mDNS
+ ip4tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+ "-o", default_device, "--jump", "ACCEPT")
if local_network_ipv6:
ip6tables("--insert", BITMASK_CHAIN,
"--destination", local_network_ipv6, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip6tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+ "-o", default_device, "--jump", "ACCEPT")
+ # allow multicast Bonjour/mDNS
+ ip6tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+ "-o", default_device, "--jump", "ACCEPT")
+
# block DNS requests to anyone but the service provider or localhost
# when we actually route ipv6, we will need dns rules for it too