[[linux:firewall6]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
Next revision Both sides next revision
linux:firewall6 [2008/11/28 10:08]
greebo created 		linux:firewall6 [2010/01/05 16:02]
greebo
Line 1: Line 1:
 +<code bash |>
 #!/bin/bash #!/bin/bash
 +echo "*************"
 +echo "* Running $0"
 +echo "*************"
 + 
 +echo " how iptables work in linux kernel"
 +echo
 +echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->"
 +echo " | |"
 +echo " [input] >--->[output]"
 + 
 +# path to ip6tables
 IPT6="/sbin/ip6tables" IPT6="/sbin/ip6tables"
-PUBIF="eth0" + 
-echo "Starting IPv6 firewall..."+# name of our Internet and intranet interfaces 
 +
 +# use INTRANET="eth1+" or INTERNET="eth0+
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +INTRANET="eth1" 
 +INTERNET="eth0" 
 +# ADSL - INTERNET="ppp0" 
 + 
 +# what TCP ports/services we allow (and FORWARD) from Internet 
 +# use " " as delimiter 
 +TCP_PORTS="25 53 993" 
 +  
 +# what UDP ports/services we allow (and FORWARD) from Internet 
 +# use "," as delimiter 
 +UDP_PORTS="53" 
 +  
 +# which ports we forward into our intranet 
 +# use "," as delimiter 
 +#FWD_TCP_PORTS="1214,6346" 
 +  
 +TRUSTED_HOSTS="2001:470:1f15:404::3 \ 
 +2001:15c0:1000:1003:250:8dff:fef1:738e" 
 + 
 +#IPv6 forward  
 +echo "0" > /proc/sys/net/ipv6/conf/all/forwarding 
 + 
 +# first we flush the tables and policy
 $IPT6 -F $IPT6 -F
 $IPT6 -X $IPT6 -X
-$IPT6 -t mangle -F +$IPT6 -F INPUT 
-$IPT6 -t mangle -X+$IPT6 -F FORWARD 
 +$IPT6 -F OUTPUT 
 +  
 +# reci ne natu! 
 +#$IPT6 -t nat -F
  
-#unlimited +default policy
-$IPT6 -A INPUT -i lo -j ACCEPT +
-$IPT6 -A OUTPUT -o lo -j ACCEPT +
- +
-# DROP all incomming traffic+
 $IPT6 -P INPUT DROP $IPT6 -P INPUT DROP
 $IPT6 -P OUTPUT DROP $IPT6 -P OUTPUT DROP
 $IPT6 -P FORWARD DROP $IPT6 -P FORWARD DROP
 +
 +# separate/new queue
 +$IPT6 -N ssh-access
 +$IPT6 -N http-access
 +
 +# port redirection (transparent proxy)
 +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
 +#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 +#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 +#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25
 +
 +
 +# we allow all traffic from $INTRANET and localhost interfaces
 +##$IPT6 -A INPUT -i $INTRANET -j ACCEPT
 +$IPT6 -A INPUT -i lo -j ACCEPT
  
 # Allow full outgoing connection but no incomming stuff # Allow full outgoing connection but no incomming stuff
 $IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
 +#  
 $IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 +
 +# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP!
 +# it is wise to use sshaccess input table (TRUSTED_HOSTS)
 +#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
 +#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
 + 
 +$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 +$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
 +
 +# ssh
 +for sshhostese in $TRUSTED_HOSTS;
 +        do
 +        $IPT6 -A ssh-access -s $sshhostese -j ACCEPT
 +        done
 +# ssh
 + 
 +# http
 +for httphostese in $TRUSTED_HOSTS;
 +        do
 +        $IPT6 -A http-access -s $httphostese -j ACCEPT
 +        done
 +# http
 +
 +# what we allow from Internet
 +for i in $TCP_PORTS
 + do
 + $IPT6 -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
 +    done
 + 
 +$IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
 +
 +# identd requests
 +$IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 +
 +# traceroute?
 +$IPT6 -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
  
 # allow incoming ICMP ping pong stuff # allow incoming ICMP ping pong stuff
 $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT
 +
 +# allow outgoing ICMP ping pong stuff
 $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT
  
-############# add your custom rules below ############ +##$IPT6  -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
-$IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT+
  
-#### no need to edit below ### 
 # log everything else # log everything else
 $IPT6 -A INPUT -j LOG $IPT6 -A INPUT -j LOG
 $IPT6 -A INPUT -j DROP $IPT6 -A INPUT -j DROP
  
-##ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute+list the rules 
 +$IPT6 ---
 +</code>
linux/firewall6.txt · Last modified: 2012/10/19 09:39 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready