Commit Graph

74 Commits (2ea528d1d0cf6cec4e6a61f57cefd84b66f04aba)

Author SHA1 Message Date
Jo-Philipp Wich a9977eca91 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
2011-04-12 20:03:59 +00:00
Hauke Mehrtens 24c1caef5f iipt-debug: create bundle of netfilter modules for debugging
Add a bundle for including commonly useful modules for IPtables debugging and development.

For now, it just contains xt_TRACE.ko

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26567
2011-04-09 23:23:46 +00:00
Florian Fainelli 5959cd2850 add kmod-ipt-led
Netfilter LED target triggers blinkenlichten when a network packet hits
a rule.

LED target requires iptables 1.4.9 or higher

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

SVN-Revision: 26451
2011-04-03 18:30:37 +00:00
Felix Fietkau c864843cbf netfilter.mk: put ipv6 conntrack in the right package
SVN-Revision: 25750
2011-02-27 11:22:30 +00:00
Felix Fietkau 2d14f4e2f8 netfilter: add missing modules for v6 conntrack (patch from #8940)
SVN-Revision: 25731
2011-02-26 15:50:01 +00:00
Felix Fietkau 831e597d7c move nf_{conntrack,nat}_tftp to ipt-nathelper-extra, most people don't need this
SVN-Revision: 25722
2011-02-26 00:35:22 +00:00
Felix Fietkau 9dad83362d kernel: remove imq support, refresh patches
SVN-Revision: 25641
2011-02-21 02:06:51 +00:00
Jo-Philipp Wich d2d990e41e netfilter.mk: fix connmark packaging for Kernels >= 2.6.35, thanks Daniel Gimpelevich
SVN-Revision: 24729
2010-12-19 16:47:30 +00:00
Jo-Philipp Wich c32a125607 netfilter: workaround a userspace/kernel mismatch on Linux 2.6.35 and later
SVN-Revision: 23521
2010-10-18 20:39:07 +00:00
Alexandros C. Couloumbis 57d2e57b02 finalize r22241 fixes
SVN-Revision: 22242
2010-07-17 08:50:19 +00:00
Jo-Philipp Wich 91468dcf4f package TPROXY target and module infrastructure
SVN-Revision: 21883
2010-06-22 22:39:22 +00:00
Alexandros C. Couloumbis b6e28298fe include/netfilter.mk fix typo on r21795
SVN-Revision: 21796
2010-06-14 14:51:51 +00:00
Alexandros C. Couloumbis e491939c70 include/netfilter.mk: add 2.6.35 kernel support
SVN-Revision: 21795
2010-06-14 14:44:27 +00:00
Nicolas Thill aa8e2e8685 netfilter: extension fixes (partially closes: #7045) * add missing xt_owner (2.6) * enable ipt_quota (2.4), disabled in [8499] is building fine with recent iptables * add missing ipt_nat_tftp (2.4) * add missing nf_nat_amanda (2.6)
SVN-Revision: 20693
2010-04-04 12:35:06 +00:00
Nicolas Thill 1b0a9b51c4 include/netfilter.mk: move ebtables definitions at the end
SVN-Revision: 20690
2010-04-04 03:43:13 +00:00
Jo-Philipp Wich 42e453a2e3 properly package xt_comment.ko (#6742)
SVN-Revision: 19861
2010-02-26 00:23:39 +00:00
Jo-Philipp Wich 15c4e22d31 netfilter: add support for raw table and NOTRACK target (#5504)
SVN-Revision: 19721
2010-02-19 01:36:47 +00:00
Jo-Philipp Wich e830181f47 iptables: add comment match to the core package
SVN-Revision: 18706
2009-12-08 20:52:58 +00:00
Nicolas Thill 72dbf7cdca netfilter: remove IPset leftovers missed from [17844]
SVN-Revision: 18032
2009-10-11 14:08:31 +00:00
Hauke Mehrtens e014faf13f Update ipset to version 3.2
SVN-Revision: 17764
2009-09-27 15:03:41 +00:00
Florian Fainelli 0e783dde14 split ebtables packages and modules into ebtables ipv4/6 and watchers (#5001)
SVN-Revision: 16980
2009-07-25 19:47:48 +00:00
Florian Fainelli a06b20f5b3 fix ip6tables installation against ip6t_HL which has been merged in xt_HL since 2.6.29 (#5568)
SVN-Revision: 16964
2009-07-24 11:52:30 +00:00
Felix Fietkau 11b33255ed netfilter: move iptable_raw, xt_NOTRACK from conntrack-extra to conntrack
SVN-Revision: 15854
2009-05-14 21:46:33 +00:00
Hauke Mehrtens 73cfaa0f2b ipt_TTL and ipt_ttl moved and were renamed in kernel 2.6.30
SVN-Revision: 15851
2009-05-14 19:01:38 +00:00
Jo-Philipp Wich f3dd32d6fd adept netfilter.mk to updated imq
SVN-Revision: 15656
2009-05-07 03:16:36 +00:00
Felix Fietkau 34939cad39 get rid of $Id$ - it has never helped us and it has broken too many patches ;)
SVN-Revision: 15242
2009-04-17 14:09:46 +00:00
Felix Fietkau e744c3130a move iptable_raw to the conntrack-extra package
SVN-Revision: 15175
2009-04-09 19:42:52 +00:00
Nicolas Thill 3b53bd7ef3 accomodate netfilter module (xt_recent) name change in 2.6.28, add missing kconfig when xt_recent is enabled
SVN-Revision: 15123
2009-04-06 19:00:20 +00:00
Felix Fietkau 68d73be80c remove support for ipp2p - it's unmaintained, broken, overmatching and undermatching => not that useful for QoS
SVN-Revision: 14596
2009-02-21 16:30:44 +00:00
Gabor Juhos e5c9f00637 netfilter: remove CHAOS, TARPIT and DELUDE references
SVN-Revision: 14461
2009-02-09 13:27:39 +00:00
Imre Kaloz 24e299f95d defrag needs to be loaded before conntrack_ipv4
SVN-Revision: 13585
2008-12-10 18:44:46 +00:00
Imre Kaloz a7cac1dc31 fix conntrack on 2.6.28
SVN-Revision: 13582
2008-12-10 16:00:04 +00:00
Nicolas Thill 2c8010b2dc make the whole iptables/netfiter modular (closes: #3871, #3527)
SVN-Revision: 12649
2008-09-22 15:19:59 +00:00
Florian Fainelli 5cf0db54c6 Package ip6t_limit and ip6t_frag for 2.4 kernels (#3760)
SVN-Revision: 12276
2008-08-11 06:38:48 +00:00
Nicolas Thill a7b3ffc182 cosmetic change: rename IPT_NAT_DEFAULT & IPT_NAT_EXTRA to IPT_NATHELPER & IPT_NATHELPER_EXTRA respectively, to better match package names
SVN-Revision: 11073
2008-05-08 11:32:46 +00:00
Gabor Juhos 3c05234962 kmod-ipt-iprange: fix build error on .25
SVN-Revision: 10992
2008-04-30 15:42:10 +00:00
Gabor Juhos d80f43d15f update iptables to 1.4.0 (2.6 kernels only), refresh kernel patches
SVN-Revision: 10843
2008-04-15 06:11:23 +00:00
Florian Fainelli 30f8862033 layer7 filtering module is now xt_layer7 (#3268)
SVN-Revision: 10674
2008-03-27 18:24:13 +00:00
Gabor Juhos 4e05416c39 netfilter/ipset cleanups * rename patches to follow our naming conventions * update ipset patches with revision 7096 of [https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng pom] * add CONFIG_IP_NF_SET_IPTREEMAP to default kernel configs * add ip_set_iptreemap to include/netfilter.mk * update kmod-ipt-ipset module description
SVN-Revision: 9269
2007-10-12 14:58:35 +00:00
Gabor Juhos 8309e3dff2 add TARPIT support to netfilter/iptables * netfilter: add the xt_TARPIT target module required by xt_CHAOS * include/netfilter.mk: reorder, xt_CHAOS depends on xt_TARPIT and xt_DELUDE * iptables: add libipt_TARPIT to the kmod-ipt-extra package, bump release number * original patchset can be found [http://tinyurl.com/2mjk2kx here]
SVN-Revision: 9178
2007-10-07 17:17:04 +00:00
Nicolas Thill 0bf90f2a0d add ipv6 conntrack support (closes: #2192)
SVN-Revision: 8984
2007-09-23 17:22:17 +00:00
Nicolas Thill fec4d9ee3c add missing 2.6 conntrack/nat helpers, add 2.6 conntrack/nat helper for RTSP (closes: #2297, thanks to aorlinsk), sync 2.4 / 2.6 kconfigs.
SVN-Revision: 8955
2007-09-22 18:37:24 +00:00
Nicolas Thill f5f47e1fbd cosmetic cleanup before more deep changes
SVN-Revision: 8870
2007-09-20 10:48:54 +00:00
Nicolas Thill f6197eabda fix typo again (do i need some sleep?)
SVN-Revision: 8822
2007-09-17 01:51:57 +00:00
Nicolas Thill dcf795770c oops, fix typo
SVN-Revision: 8816
2007-09-16 22:41:24 +00:00
Nicolas Thill 892b16a352 revert CONFIG_* symbols set m enforcement introduced in [8591], it can't work when symbols from different kernel versions are mixed in KCONFIG
SVN-Revision: 8798
2007-09-16 16:10:37 +00:00
Nicolas Thill 5011d6129c prevent include/netfilter.mk from being included multiple times
SVN-Revision: 8781
2007-09-15 16:19:26 +00:00
Florian Fainelli 6a06ccf9b6 Package the statistics module for netfilter
SVN-Revision: 8716
2007-09-09 18:32:06 +00:00
Nicolas Thill 8dc7ced4d4 require all CONFIG_* symbols listed in its KCONFIG to be set to m in order to actually build a kmod package, tweak and fix kernel package definitions.
SVN-Revision: 8591
2007-09-03 08:58:14 +00:00
Nicolas Thill bfa6ac2eab revert [8473] (see [8055])
SVN-Revision: 8499
2007-08-27 02:04:35 +00:00