Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall6 [2008/11/28 10:13] greebo |
linux:firewall6 [2010/01/05 16:02] greebo |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <code bash> | + | <code bash |> |
#!/bin/bash | #!/bin/bash | ||
+ | echo " | ||
+ | echo "* Running $0" | ||
+ | echo " | ||
+ | |||
+ | echo " how iptables work in linux kernel" | ||
+ | echo | ||
+ | echo "> | ||
+ | echo " | ||
+ | echo " | ||
+ | |||
+ | # path to ip6tables | ||
IPT6="/ | IPT6="/ | ||
- | PUBIF=" | + | |
- | echo "Starting | + | # name of our Internet and intranet interfaces |
+ | # | ||
+ | # use INTRANET=" | ||
+ | # if you have more ifaces (example: eth0: | ||
+ | INTRANET="eth1" | ||
+ | INTERNET=" | ||
+ | # ADSL - INTERNET=" | ||
+ | |||
+ | # what TCP ports/ | ||
+ | # use " " as delimiter | ||
+ | TCP_PORTS=" | ||
+ | |||
+ | # what UDP ports/ | ||
+ | # use "," | ||
+ | UDP_PORTS=" | ||
+ | |||
+ | # which ports we forward into our intranet | ||
+ | # use "," | ||
+ | # | ||
+ | |||
+ | TRUSTED_HOSTS=" | ||
+ | 2001: | ||
+ | |||
+ | #IPv6 forward | ||
+ | echo "0" > / | ||
+ | |||
+ | # first we flush the tables and policy | ||
$IPT6 -F | $IPT6 -F | ||
$IPT6 -X | $IPT6 -X | ||
- | $IPT6 -t mangle | + | $IPT6 -F INPUT |
- | $IPT6 -t mangle | + | $IPT6 -F FORWARD |
+ | $IPT6 -F OUTPUT | ||
+ | |||
+ | # reci ne natu! | ||
+ | #$IPT6 -t nat -F | ||
- | #unlimited | + | # default policy |
- | $IPT6 -A INPUT -i lo -j ACCEPT | + | |
- | $IPT6 -A OUTPUT -o lo -j ACCEPT | + | |
- | + | ||
- | # DROP all incomming traffic | + | |
$IPT6 -P INPUT DROP | $IPT6 -P INPUT DROP | ||
$IPT6 -P OUTPUT DROP | $IPT6 -P OUTPUT DROP | ||
$IPT6 -P FORWARD DROP | $IPT6 -P FORWARD DROP | ||
+ | |||
+ | # separate/ | ||
+ | $IPT6 -N ssh-access | ||
+ | $IPT6 -N http-access | ||
+ | |||
+ | # port redirection (transparent proxy) | ||
+ | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
+ | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
+ | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
+ | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 | ||
+ | |||
+ | |||
+ | # we allow all traffic from $INTRANET and localhost interfaces | ||
+ | ##$IPT6 -A INPUT -i $INTRANET -j ACCEPT | ||
+ | $IPT6 -A INPUT -i lo -j ACCEPT | ||
# Allow full outgoing connection but no incomming stuff | # Allow full outgoing connection but no incomming stuff | ||
$IPT6 -A INPUT -m state --state ESTABLISHED, | $IPT6 -A INPUT -m state --state ESTABLISHED, | ||
+ | # | ||
$IPT6 -A OUTPUT -m state --state NEW, | $IPT6 -A OUTPUT -m state --state NEW, | ||
+ | |||
+ | # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! | ||
+ | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | ||
+ | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT | ||
+ | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP | ||
+ | |||
+ | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | ||
+ | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | ||
+ | |||
+ | # ssh | ||
+ | for sshhostese in $TRUSTED_HOSTS; | ||
+ | do | ||
+ | $IPT6 -A ssh-access -s $sshhostese -j ACCEPT | ||
+ | done | ||
+ | # ssh | ||
+ | |||
+ | # http | ||
+ | for httphostese in $TRUSTED_HOSTS; | ||
+ | do | ||
+ | $IPT6 -A http-access -s $httphostese -j ACCEPT | ||
+ | done | ||
+ | # http | ||
+ | |||
+ | # what we allow from Internet | ||
+ | for i in $TCP_PORTS | ||
+ | do | ||
+ | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | ||
+ | done | ||
+ | |||
+ | $IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | ||
+ | |||
+ | # identd requests | ||
+ | $IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | ||
+ | |||
+ | # traceroute? | ||
+ | $IPT6 -A INPUT -p udp -m limit --limit 3/ | ||
# allow incoming ICMP ping pong stuff | # allow incoming ICMP ping pong stuff | ||
$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT | $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT | ||
+ | |||
+ | # allow outgoing ICMP ping pong stuff | ||
$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT | $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT | ||
- | ############# add your custom rules below ############ | + | ## |
- | $IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT | + | |
- | #### no need to edit below ### | ||
# log everything else | # log everything else | ||
$IPT6 -A INPUT -j LOG | $IPT6 -A INPUT -j LOG | ||
$IPT6 -A INPUT -j DROP | $IPT6 -A INPUT -j DROP | ||
- | ## | + | # list the rules |
- | + | $IPT6 -L -v -n | |
+ | </code> |