From e157823eb87abf6b900c3c755a4f38aeca41d94c Mon Sep 17 00:00:00 2001 From: outime Date: Sat, 16 Dec 2017 20:11:42 +0000 Subject: [PATCH] UDP (DHCP) traffic limit option --- ipv6-dhclient-script.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/ipv6-dhclient-script.sh b/ipv6-dhclient-script.sh index 5184073..db8fdd8 100755 --- a/ipv6-dhclient-script.sh +++ b/ipv6-dhclient-script.sh @@ -22,6 +22,7 @@ if [[ "$(id -u)" != 0 ]]; then fi if [[ -e /etc/debian_version ]]; then + RELEASE=$(cat /etc/debian_version) DISTRO="Debian" elif [[ -f /etc/centos-release ]]; then RELEASE=$(rpm -q --queryformat '%{VERSION}' centos-release) @@ -93,6 +94,24 @@ clear systemctl restart ipv6-dhclient fi + if [[ $DISTRO != "Debian" ]] || [[ $DISTRO = "Debian" && $VERSION != "6*" ]]; then # TODO: Support for loading IPv6 rules on boot for Debian Squeeze + echo "Would you like to limit DHCP client traffic to prevent accidental UDP flood towards your provider?" + echo "This will enable iptables, add a few rules and load them on boot along with other existing rules." + if [[ $DISTRO = "Debian" ]]; then echo "This will install an additional package (iptables-persistent)."; fi + read -e -p "Limit traffic? [Y/n]: " -i "Y" SKIP + if [[ $SKIP =~ ^([yY][eE][sS]|[yY])$ ]]; then + ip6tables -A OUTPUT -p udp --dport 547 -m limit --limit 10/min --limit-burst 5 -j ACCEPT + ip6tables -A OUTPUT -p udp --dport 547 -j DROP + if [[ $DISTRO = "Debian" ]]; then + ip6tables-save > /etc/iptables/rules.v6 + apt update -q && apt install -y iptables-persistent + elif [[ $DISTRO = "CentOS*" ]]; then + ip6tables-save > /etc/sysconfig/ip6tables + chkconfig iptables on + fi + fi + fi + echo "Testing IPv6 connectivity..." IPV6_TEST=$(ping6 -c 8 ipv6.google.com | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }') if [[ $IPV6_TEST > 0 ]]; then