[[linux:firewall6]]
Trace: firewall6
Show pagesource
AdminRecent ChangesSitemap 
#!/bin/bash
echo "*************"
echo "* Running $0"
echo "*************"
 
echo " how iptables work in linux kernel"
echo
echo ">-[prerouting]->	+ >-[forward]->	+ >-[postrouting]->"
echo "			|		|"
echo "			[input] >--->[output]"
 
# path to ip6tables
IP6TB="/sbin/ip6tables"

# name of our Internet and intranet interfaces
#
# use INTRANET="eth1+" or INTERNET="eth0+"
# if you have more ifaces (example: eth0:0)  towards Intranet/Internet
INTRANET="eth1"
INTERNET="eth0"
# ADSL - INTERNET="ppp0"

# what TCP ports/services we allow (and FORWARD) from Internet
# use " " as delimiter
TCP_PORTS="25 53 993"
 
# what UDP ports/services we allow (and FORWARD) from Internet
# use "," as delimiter
UDP_PORTS="53"
 
# which ports we forward into our intranet
# use "," as delimiter
#FWD_TCP_PORTS="1214,6346"
 
TRUSTED_HOSTS="2001:470:1f15:404::3 \
2001:15c0:1000:1003:250:8dff:fef1:738e"

#IPv6 forward 
echo "0" > /proc/sys/net/ipv6/conf/all/forwarding

# first we flush the tables and policy
$IP6TB -F
$IP6TB -X
$IP6TB -F INPUT
$IP6TB -F FORWARD
$IP6TB -F OUTPUT
 
# default policy
$IP6TB -P INPUT DROP
$IP6TB -P OUTPUT DROP
$IP6TB -P FORWARD DROP

# separate/new queue
$IP6TB -N ssh-access
$IP6TB -N http-access

# port redirection (transparent proxy)
# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25

# we allow all traffic from $INTRANET and localhost interfaces
##$IP6TB -A INPUT -i $INTRANET -j ACCEPT
$IP6TB -A INPUT -i lo -j ACCEPT
$IP6TB -A OUTPUT -o lo -j ACCEPT

# Allow full outgoing connection but no incomming stuff
$IP6TB -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
#  
$IP6TB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow localhost traffic. This rule is for all protocols.
$IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT

# Allow Link-Local addresses
$IP6TB -A INPUT -s fe80::/10 -j ACCEPT
$IP6TB -A OUTPUT -s fe80::/10 -j ACCEPT

$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access

# ssh
# Connection limit for SSH connections (1 connection per minute from one source IP)
# usefull agains ssh scanners if you MUST open SSH for every IP!
# TRUSTED_HOSTS are whitelisted
for sshhostese in $TRUSTED_HOSTS;
        do
        $IP6TB -A ssh-access -s $sshhostese -j ACCEPT
        done
$IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
$IP6TB -A ssh-access -j DROP

# ssh
 
# http
for httphostese in $TRUSTED_HOSTS;
        do
        $IP6TB -A http-access -s $httphostese -j ACCEPT
        done
# http

# what we allow from Internet
for i in $TCP_PORTS
	do
		$IP6TB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
    done
 
$IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT

# identd requests
$IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

# traceroute?
$IP6TB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Recommended, but unsupported on older kernels
$IP6TB -A INPUT  -m rt --rt-type 0 -j DROP
$IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP
$IP6TB -A FORWARD -m rt --rt-type 0 -j DROP

# Allow but rate-limit echo request/reply
$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT

# Allow router advertisements on local network segments
 for icmptype in 133 134 135 136 137
 do
  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
 done

# Allow RFC 4890 but with rate-limiting
 #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152

 for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153
 do
  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
 done

# Log all other icmpv6 types
$IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6"


#reject
$IP6TB -A INPUT -i $INTERNET -p tcp -m state --syn --state NEW -m multiport --dports 113,1080,3128,8080 -j REJECT
$IP6TB -A INPUT -i $INTERNET -p udp -m multiport --dports  113 -j REJECT


# log everything else
$IP6TB -A INPUT -j LOG
$IP6TB -A INPUT -j DROP


# OUTPUT

$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT

 for icmptype in 133 134 135 136 137
 do
  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
 done

# Allow RFC 4890 but with rate-limiting
 for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152
 do
  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
 done

# list the rules
$IP6TB -L -v -n
linux/firewall6.txt · Last modified: 2012/10/19 09:39 by zagi
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready