Differences

This shows you the differences between two versions of the page.

--- linux:firewall6 [2010/01/05 15:58]
greebo
+++ linux:firewall6 [2012/01/16 12:28]
109.230.216.60 qDfsmxVUvHHAUQTt
@@ Line 1: / Line 1: @@
-<code bash |>
+AFAICT you've coeevrd all the bases with this answer!
-#!/bin/bash
-echo "*************"
-echo "* Running $0"
-echo "*************"
-echo " how iptables work in linux kernel"
-echo
-echo ">-[prerouting]->	+ >-[forward]->	+ >-[postrouting]->"
-echo "			|		|"
-echo "			[input] >--->[output]"
-# path to ip6tables
-IPT6="/sbin/ip6tables"
-# name of our Internet and intranet interfaces
-#
-# use INTRANET="eth1+" or INTERNET="eth0+"
-# if you have more ifaces (example: eth0:0)  towards Intranet/Internet
-INTRANET="eth1"
-INTERNET="eth0"
-# ADSL - INTERNET="ppp0"
-# what TCP ports/services we allow (and FORWARD) from Internet
-# use " " as delimiter
-TCP_PORTS="25 53 80"
-# what UDP ports/services we allow (and FORWARD) from Internet
-# use "," as delimiter
-UDP_PORTS="53"
-# which ports we forward into our intranet
-# use "," as delimiter
-FWD_TCP_PORTS="1214,6346"
-TRUSTED_HOSTS="2001:470:1f15:404::3 \
-:15c0:1000:1003:250:8dff:fef1:738e"
-#IPv6 forward
-echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
-# first we flush the tables and policy
-$IPT6 -F
-$IPT6 -X
-$IPT6 -F INPUT
-$IPT6 -F FORWARD
-$IPT6 -F OUTPUT
-$IPT6 -t nat -F
-# separate/new queue
-$IPT6 -N ssh-access
-$IPT6 -N http-access
-# port redirection (transparent proxy)
-# redirect all outgoing traffic that is NOT for the GW to local (GW) ports
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25
-# default policy
-$IPT6 -P INPUT DROP
-$IPT6 -P OUTPUT DROP
-$IPT6 -P FORWARD DROP
-# we allow all traffic from $INTRANET and localhost interfaces
-##$IPT6 -A INPUT -i $INTRANET -j ACCEPT
-$IPT6 -A INPUT -i lo -j ACCEPT
-# Allow full outgoing connection but no incomming stuff
-$IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-#
-$IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP!
-# it is wise to use sshaccess input table (TRUSTED_HOSTS)
-#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
-#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
-$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
-$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
-# ssh
-for sshhostese in $TRUSTED_HOSTS;
-        do
-        $IPT6 -A ssh-access -s $sshhostese -j ACCEPT
-        done
-# ssh
-# http
-for httphostese in $TRUSTED_HOSTS;
-        do
-        $IPT6 -A http-access -s $httphostese -j ACCEPT
-        done
-# http
-# what we allow from Internet
-for i in $TCP_PORTS
-	do
-		$IPT6 -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done
-$IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
-# identd requests
-$IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-# traceroute?
-$IPT6 -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-# allow incoming ICMP ping pong stuff
-$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT
-# allow outgoing ICMP ping pong stuff
-$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT
-##$IPT6  -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
-#### no need to edit below ###
-# log everything else
-$IPT6 -A INPUT -j LOG
-$IPT6 -A INPUT -j DROP
-# list the rules
-$IPT6 -L -v -n
-</code>