Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall6 [2010/01/05 15:58] greebo |
linux:firewall6 [2012/01/16 12:28] 109.230.216.60 qDfsmxVUvHHAUQTt |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <code bash |> | + | AFAICT |
- | # | + | |
- | echo " | + | |
- | echo "* Running $0" | + | |
- | echo " | + | |
- | + | ||
- | echo " how iptables work in linux kernel" | + | |
- | echo | + | |
- | echo "> | + | |
- | echo " | + | |
- | echo " | + | |
- | + | ||
- | # path to ip6tables | + | |
- | IPT6="/ | + | |
- | + | ||
- | + | ||
- | # name of our Internet and intranet interfaces | + | |
- | # | + | |
- | # use INTRANET=" | + | |
- | # if you have more ifaces (example: eth0: | + | |
- | INTRANET=" | + | |
- | INTERNET=" | + | |
- | # ADSL - INTERNET=" | + | |
- | + | ||
- | # what TCP ports/ | + | |
- | # use " " as delimiter | + | |
- | TCP_PORTS=" | + | |
- | + | ||
- | # what UDP ports/ | + | |
- | # use "," | + | |
- | UDP_PORTS=" | + | |
- | + | ||
- | # which ports we forward into our intranet | + | |
- | # use "," | + | |
- | FWD_TCP_PORTS=" | + | |
- | + | ||
- | TRUSTED_HOSTS=" | + | |
- | 2001: | + | |
- | + | ||
- | #IPv6 forward | + | |
- | echo " | + | |
- | + | ||
- | + | ||
- | # first we flush the tables and policy | + | |
- | $IPT6 -F | + | |
- | $IPT6 -X | + | |
- | $IPT6 -F INPUT | + | |
- | $IPT6 -F FORWARD | + | |
- | $IPT6 -F OUTPUT | + | |
- | + | ||
- | $IPT6 -t nat -F | + | |
- | + | ||
- | # separate/ | + | |
- | $IPT6 -N ssh-access | + | |
- | $IPT6 -N http-access | + | |
- | + | ||
- | # port redirection (transparent proxy) | + | |
- | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | + | |
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | + | |
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | + | |
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 | + | |
- | + | ||
- | # default policy | + | |
- | $IPT6 -P INPUT DROP | + | |
- | $IPT6 -P OUTPUT DROP | + | |
- | $IPT6 -P FORWARD DROP | + | |
- | + | ||
- | # we allow all traffic from $INTRANET and localhost interfaces | + | |
- | ##$IPT6 -A INPUT -i $INTRANET -j ACCEPT | + | |
- | $IPT6 -A INPUT -i lo -j ACCEPT | + | |
- | + | ||
- | # Allow full outgoing connection but no incomming stuff | + | |
- | $IPT6 -A INPUT -m state --state ESTABLISHED, | + | |
- | # | + | |
- | $IPT6 -A OUTPUT -m state --state NEW, | + | |
- | + | ||
- | # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! | + | |
- | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | + | |
- | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT | + | |
- | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP | + | |
- | + | ||
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | + | |
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | + | |
- | + | ||
- | # ssh | + | |
- | for sshhostese in $TRUSTED_HOSTS; | + | |
- | do | + | |
- | $IPT6 -A ssh-access -s $sshhostese -j ACCEPT | + | |
- | done | + | |
- | # ssh | + | |
- | + | ||
- | # http | + | |
- | for httphostese in $TRUSTED_HOSTS; | + | |
- | do | + | |
- | $IPT6 -A http-access -s $httphostese -j ACCEPT | + | |
- | done | + | |
- | # http | + | |
- | + | ||
- | # what we allow from Internet | + | |
- | for i in $TCP_PORTS | + | |
- | do | + | |
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | + | |
- | done | + | |
- | + | ||
- | $IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | + | |
- | + | ||
- | # identd requests | + | |
- | $IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | + | |
- | + | ||
- | # traceroute? | + | |
- | $IPT6 -A INPUT -p udp -m limit --limit 3/ | + | |
- | + | ||
- | + | ||
- | # allow incoming ICMP ping pong stuff | + | |
- | $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT | + | |
- | # allow outgoing ICMP ping pong stuff | + | |
- | $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT | + | |
- | + | ||
- | ## | + | |
- | + | ||
- | + | ||
- | #### no need to edit below ### | + | |
- | # log everything else | + | |
- | $IPT6 -A INPUT -j LOG | + | |
- | $IPT6 -A INPUT -j DROP | + | |
- | + | ||
- | # list the rules | + | |
- | $IPT6 -L -v -n | + | |
- | + | ||
- | + | ||
- | </ | + |