Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall6 [2010/01/05 16:02] greebo |
linux:firewall6 [2012/04/15 11:10] greebo |
||
---|---|---|---|
Line 12: | Line 12: | ||
# path to ip6tables | # path to ip6tables | ||
- | IPT6="/ | + | IP6TB="/ |
# name of our Internet and intranet interfaces | # name of our Internet and intranet interfaces | ||
Line 41: | Line 41: | ||
# first we flush the tables and policy | # first we flush the tables and policy | ||
- | $IPT6 -F | + | $IP6TB -F |
- | $IPT6 -X | + | $IP6TB -X |
- | $IPT6 -F INPUT | + | $IP6TB -F INPUT |
- | $IPT6 -F FORWARD | + | $IP6TB -F FORWARD |
- | $IPT6 -F OUTPUT | + | $IP6TB -F OUTPUT |
- | # reci ne natu! | ||
- | #$IPT6 -t nat -F | ||
- | |||
# default policy | # default policy | ||
- | $IPT6 -P INPUT DROP | + | $IP6TB -P INPUT DROP |
- | $IPT6 -P OUTPUT DROP | + | $IP6TB -P OUTPUT DROP |
- | $IPT6 -P FORWARD DROP | + | $IP6TB -P FORWARD DROP |
# separate/ | # separate/ | ||
- | $IPT6 -N ssh-access | + | $IP6TB -N ssh-access |
- | $IPT6 -N http-access | + | $IP6TB -N http-access |
# port redirection (transparent proxy) | # port redirection (transparent proxy) | ||
# redirect all outgoing traffic that is NOT for the GW to local (GW) ports | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT |
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT |
- | #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 | + | #$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 |
# we allow all traffic from $INTRANET and localhost interfaces | # we allow all traffic from $INTRANET and localhost interfaces | ||
- | ##$IPT6 -A INPUT -i $INTRANET -j ACCEPT | + | ##$IP6TB -A INPUT -i $INTRANET -j ACCEPT |
- | $IPT6 -A INPUT -i lo -j ACCEPT | + | $IP6TB -A INPUT -i lo -j ACCEPT |
+ | $IP6TB -A OUTPUT -o lo -j ACCEPT | ||
# Allow full outgoing connection but no incomming stuff | # Allow full outgoing connection but no incomming stuff | ||
- | $IPT6 -A INPUT -m state --state ESTABLISHED, | + | $IP6TB -A INPUT -m state --state ESTABLISHED, |
# | # | ||
- | $IPT6 -A OUTPUT -m state --state NEW, | + | $IP6TB -A OUTPUT -m state --state NEW, |
- | # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! | + | # Allow localhost traffic. This rule is for all protocols. |
- | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | + | $IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT |
- | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT | + | |
- | #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP | + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access |
- | + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | |
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | + | |
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access | + | |
# ssh | # ssh | ||
+ | # Connection limit for SSH connections (1 connection per minute from one source IP) | ||
+ | # usefull agains ssh scanners if you MUST open SSH for every IP! | ||
+ | # TRUSTED_HOSTS are whitelisted | ||
for sshhostese in $TRUSTED_HOSTS; | for sshhostese in $TRUSTED_HOSTS; | ||
do | do | ||
- | $IPT6 -A ssh-access -s $sshhostese -j ACCEPT | + | $IP6TB -A ssh-access -s $sshhostese -j ACCEPT |
done | done | ||
+ | $IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT | ||
+ | $IP6TB -A ssh-access -j DROP | ||
+ | |||
# ssh | # ssh | ||
Line 93: | Line 94: | ||
for httphostese in $TRUSTED_HOSTS; | for httphostese in $TRUSTED_HOSTS; | ||
do | do | ||
- | $IPT6 -A http-access -s $httphostese -j ACCEPT | + | $IP6TB -A http-access -s $httphostese -j ACCEPT |
done | done | ||
# http | # http | ||
Line 100: | Line 101: | ||
for i in $TCP_PORTS | for i in $TCP_PORTS | ||
do | do | ||
- | $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | + | $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT |
done | done | ||
- | $IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT | + | $IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT |
# identd requests | # identd requests | ||
- | $IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | + | $IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset |
# traceroute? | # traceroute? | ||
- | $IPT6 -A INPUT -p udp -m limit --limit 3/ | + | $IP6TB -A INPUT -p udp -m limit --limit 3/ |
- | # allow incoming ICMP ping pong stuff | + | # Recommended, |
- | $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT | + | $IP6TB -A INPUT -m rt --rt-type 0 -j DROP |
+ | $IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP | ||
+ | $IP6TB -A FORWARD -m rt --rt-type 0 -j DROP | ||
- | # allow outgoing ICMP ping pong stuff | + | # Allow but rate-limit echo request/ |
- | $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT | + | $IP6TB -A INPUT -i $PUBIF -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT |
+ | $IP6TB -A INPUT -i $PUBIF -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT | ||
+ | |||
+ | # Allow router advertisements on local network segments | ||
+ | for icmptype in 133 134 135 136 137 | ||
+ | do | ||
+ | $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT | ||
+ | $IP6TB | ||
+ | | ||
+ | |||
+ | # Allow RFC 4890 but with rate-limiting | ||
+ | #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 | ||
+ | |||
+ | for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153 | ||
+ | do | ||
+ | $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT | ||
+ | $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT | ||
+ | | ||
+ | |||
+ | # Log all other icmpv6 types | ||
+ | $IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix " | ||
+ | |||
+ | |||
+ | #reject | ||
+ | $IP6TB -A INPUT -i $PUBIF -p tcp -m state --syn --state NEW -m multiport --dports 113, | ||
+ | $IP6TB -A INPUT -i $PUBIF -p udp -m multiport --dports | ||
- | ## | ||
# log everything else | # log everything else | ||
- | $IPT6 -A INPUT -j LOG | + | $IP6TB -A INPUT -j LOG |
- | $IPT6 -A INPUT -j DROP | + | $IP6TB -A INPUT -j DROP |
+ | |||
+ | |||
+ | # OUTPUT | ||
+ | |||
+ | $IP6TB -A OUTPUT -o $PUBIF -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT | ||
+ | $IP6TB -A OUTPUT -o $PUBIF -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT | ||
+ | |||
+ | for icmptype in 133 134 135 136 137 | ||
+ | do | ||
+ | $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT | ||
+ | | ||
+ | |||
+ | # Allow RFC 4890 but with rate-limiting | ||
+ | for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 | ||
+ | do | ||
+ | $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT | ||
+ | done | ||
# list the rules | # list the rules | ||
- | $IPT6 -L -v -n | + | $IP6TB -L -v -n |
</ | </ |