Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:firewall6 [2008/11/28 10:08] greebo created |
linux:firewall6 [2011/03/28 17:36] greebo |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | <code bash |> | ||
| #!/bin/bash | #!/bin/bash | ||
| - | IPT6="/ | + | echo "*************" |
| - | PUBIF="eth0" | + | echo "* Running $0" |
| - | echo "Starting IPv6 firewall..." | + | echo "*************" |
| - | $IPT6 -F | + | |
| - | $IPT6 -X | + | echo " how iptables work in linux kernel" |
| - | $IPT6 -t mangle | + | echo |
| - | $IPT6 -t mangle | + | echo ">-[prerouting]-> + > |
| + | echo " | ||
| + | echo " | ||
| + | |||
| + | # path to ip6tables | ||
| + | IP6T="/ | ||
| - | #unlimited | + | # name of our Internet and intranet interfaces |
| - | $IPT6 -A INPUT -i lo -j ACCEPT | + | # |
| - | $IPT6 -A OUTPUT -o lo -j ACCEPT | + | # use INTRANET=" |
| + | # if you have more ifaces (example: eth0: | ||
| + | INTRANET=" | ||
| + | INTERNET=" | ||
| + | # ADSL - INTERNET=" | ||
| - | # DROP all incomming traffic | + | # what TCP ports/ |
| - | $IPT6 -P INPUT DROP | + | # use " " as delimiter |
| - | $IPT6 -P OUTPUT DROP | + | TCP_PORTS=" |
| - | $IPT6 -P FORWARD DROP | + | |
| + | # what UDP ports/ | ||
| + | # use "," | ||
| + | UDP_PORTS=" | ||
| + | |||
| + | # which ports we forward into our intranet | ||
| + | # use "," | ||
| + | # | ||
| + | |||
| + | TRUSTED_HOSTS=" | ||
| + | 2001: | ||
| + | |||
| + | #IPv6 forward | ||
| + | echo " | ||
| + | |||
| + | # first we flush the tables and policy | ||
| + | $IP6TB -F | ||
| + | $IP6TB -X | ||
| + | $IP6TB -F INPUT | ||
| + | $IP6TB -F FORWARD | ||
| + | $IP6TB -F OUTPUT | ||
| + | |||
| + | # reci ne natu! | ||
| + | #$IP6TB -t nat -F | ||
| + | |||
| + | # default policy | ||
| + | $IP6TB | ||
| + | $IP6TB -P OUTPUT DROP | ||
| + | $IP6TB -P FORWARD DROP | ||
| + | |||
| + | # separate/ | ||
| + | $IP6TB -N ssh-access | ||
| + | $IP6TB -N http-access | ||
| + | |||
| + | # port redirection (transparent proxy) | ||
| + | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
| + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
| + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
| + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 | ||
| + | |||
| + | # we allow all traffic from $INTRANET and localhost interfaces | ||
| + | ##$IP6TB -A INPUT -i $INTRANET -j ACCEPT | ||
| + | $IP6TB -A INPUT -i lo -j ACCEPT | ||
| # Allow full outgoing connection but no incomming stuff | # Allow full outgoing connection but no incomming stuff | ||
| - | $IPT6 -A INPUT -m state --state ESTABLISHED, | + | $IP6TB -A INPUT -m state --state ESTABLISHED, |
| - | $IPT6 -A OUTPUT -m state --state NEW, | + | # |
| + | $IP6TB -A OUTPUT -m state --state NEW, | ||
| + | |||
| + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | ||
| + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | ||
| + | |||
| + | # ssh | ||
| + | # Connection limit for SSH connections (1 connection per minute from one source IP) | ||
| + | # usefull agains ssh scanners if you MUST open SSH for every IP! | ||
| + | # TRUSTED_HOSTS are whitelisted | ||
| + | for sshhostese in $TRUSTED_HOSTS; | ||
| + | do | ||
| + | $IP6TB -A ssh-access -s $sshhostese -j ACCEPT | ||
| + | done | ||
| + | $IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT | ||
| + | $IP6TB -A ssh-access -j DROP | ||
| + | |||
| + | # ssh | ||
| + | |||
| + | # http | ||
| + | for httphostese in $TRUSTED_HOSTS; | ||
| + | do | ||
| + | $IP6TB -A http-access -s $httphostese -j ACCEPT | ||
| + | done | ||
| + | # http | ||
| + | |||
| + | # what we allow from Internet | ||
| + | for i in $TCP_PORTS | ||
| + | do | ||
| + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | ||
| + | done | ||
| + | |||
| + | $IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | ||
| + | |||
| + | # identd requests | ||
| + | $IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | ||
| + | |||
| + | # traceroute? | ||
| + | $IP6TB -A INPUT -p udp -m limit --limit 3/ | ||
| # allow incoming ICMP ping pong stuff | # allow incoming ICMP ping pong stuff | ||
| - | $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT | + | $IP6TB -A INPUT -p ipv6-icmp -j ACCEPT |
| - | $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT | + | |
| + | # allow outgoing ICMP ping pong stuff | ||
| + | $IP6TB -A OUTPUT -p ipv6-icmp -j ACCEPT | ||
| - | ############# add your custom rules below ############ | + | ##$IP6TB |
| - | $IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT | + | |
| - | #### no need to edit below ### | ||
| # log everything else | # log everything else | ||
| - | $IPT6 -A INPUT -j LOG | + | $IP6TB -A INPUT -j LOG |
| - | $IPT6 -A INPUT -j DROP | + | $IP6TB -A INPUT -j DROP |
| - | ## | + | # list the rules |
| + | $IP6TB | ||
| + | </code> | ||
