[[linux:firewall6]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
linux:firewall6 [2008/11/28 10:08]
greebo created 		linux:firewall6 [2012/10/19 09:39] (current)
zagi
Line 1: Line 1:
 +<code bash |>
 #!/bin/bash #!/bin/bash
-IPT6="/sbin/ip6tables+echo "*************
-PUBIF="eth0+echo "* Running $0
-echo "Starting IPv6 firewall...+echo "*************
-$IPT6 -F +  
-$IPT6 -X +echo " how iptables work in linux kernel" 
-$IPT6 -t mangle -F +echo 
-$IPT6 -t mangle -X+echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" 
 +echo " | |" 
 +echo " [input] >--->[output]" 
 +  
 +# path to ip6tables 
 +IP6TB="/sbin/ip6tables"
  
-#unlimited +name of our Internet and intranet interfaces 
-$IPT6 -A INPUT -i lo -j ACCEPT +# 
-$IPT6 -A OUTPUT -o lo -j ACCEPT+# use INTRANET="eth1+" or INTERNET="eth0+" 
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +INTRANET="eth1" 
 +INTERNET="eth0" 
 +# ADSL INTERNET="ppp0"
  
-DROP all incomming traffic +what TCP ports/services we allow (and FORWARD) from Internet 
-$IPT6 -P INPUT DROP +# use " " as delimiter 
-$IPT6 -P OUTPUT DROP +TCP_PORTS="25 53 993" 
-$IPT6 -P FORWARD DROP+  
 +# what UDP ports/services we allow (and FORWARD) from Internet 
 +# use "," as delimiter 
 +UDP_PORTS="53" 
 +  
 +# which ports we forward into our intranet 
 +# use "," as delimiter 
 +#FWD_TCP_PORTS="1214,6346" 
 +  
 +TRUSTED_HOSTS="2001:470:1f15:404::3 \ 
 +2001:15c0:1000:1003:250:8dff:fef1:738e" 
 + 
 +#IPv6 forward  
 +echo "0" > /proc/sys/net/ipv6/conf/all/forwarding 
 + 
 +# first we flush the tables and policy 
 +$IP6TB -F 
 +$IP6TB -X 
 +$IP6TB -F INPUT 
 +$IP6TB -F FORWARD 
 +$IP6TB -F OUTPUT 
 +  
 +# default policy 
 +$IP6TB -P INPUT DROP 
 +$IP6TB -P OUTPUT DROP 
 +$IP6TB -P FORWARD DROP 
 + 
 +# separate/new queue 
 +$IP6TB -N ssh-access 
 +$IP6TB -N http-access 
 + 
 +# port redirection (transparent proxy) 
 +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 
 + 
 +# we allow all traffic from $INTRANET and localhost interfaces 
 +##$IP6TB -A INPUT -i $INTRANET -j ACCEPT 
 +$IP6TB -A INPUT -i lo -j ACCEPT 
 +$IP6TB -A OUTPUT -o lo -j ACCEPT
  
 # Allow full outgoing connection but no incomming stuff # Allow full outgoing connection but no incomming stuff
-$IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT +$IP6TB -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
-$IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT+#   
 +$IP6TB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  
-# allow incoming ICMP ping pong stuff +Allow localhost traffic. This rule is for all protocols. 
-$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT +$IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT 
-$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT+ 
 +# Allow Link-Local addresses 
 +$IP6TB -A INPUT -s fe80::/10 -j ACCEPT 
 +$IP6TB -A OUTPUT -s fe80::/10 -j ACCEPT 
 + 
 +$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access 
 +$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access 
 + 
 +# ssh 
 +# Connection limit for SSH connections (1 connection per minute from one source IP) 
 +# usefull agains ssh scanners if you MUST open SSH for every IP! 
 +# TRUSTED_HOSTS are whitelisted 
 +for sshhostese in $TRUSTED_HOSTS; 
 +        do 
 +        $IP6TB -A ssh-access -s $sshhostese -j ACCEPT 
 +        done 
 +$IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT 
 +$IP6TB -A ssh-access -j DROP 
 + 
 +# ssh 
 +  
 +# http 
 +for httphostese in $TRUSTED_HOSTS; 
 +        do 
 +        $IP6TB -A http-access -s $httphostese -j ACCEPT 
 +        done 
 +# http 
 + 
 +# what we allow from Internet 
 +for i in $TCP_PORTS 
 + do 
 + $IP6TB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
 +    done 
 +  
 +$IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT 
 + 
 +# identd requests 
 +$IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 
 + 
 +# traceroute? 
 +$IP6TB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
 + 
 +# Recommended, but unsupported on older kernels 
 +$IP6TB -A INPUT  -m rt --rt-type 0 -j DROP 
 +$IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP 
 +$IP6TB -A FORWARD -m rt --rt-type 0 -j DROP 
 + 
 +# Allow but rate-limit echo request/reply 
 +$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT 
 +$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT 
 + 
 +# Allow router advertisements on local network segments 
 + for icmptype in 133 134 135 136 137 
 + do 
 +  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 + done 
 + 
 +# Allow RFC 4890 but with rate-limiting 
 + #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 
 + 
 + for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153 
 + do 
 +  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT 
 + done 
 + 
 +# Log all other icmpv6 types 
 +$IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6" 
 + 
 + 
 +#reject 
 +$IP6TB -A INPUT -i $INTERNET -p tcp -m state --syn --state NEW -m multiport --dports 113,1080,3128,8080 -j REJECT 
 +$IP6TB -A INPUT -i $INTERNET -p udp -m multiport --dports  113 -j REJECT
  
-############# add your custom rules below ############ 
-$IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT 
  
-#### no need to edit below ### 
 # log everything else # log everything else
-$IPT6 -A INPUT -j LOG +$IP6TB -A INPUT -j LOG 
-$IPT6 -A INPUT -j DROP+$IP6TB -A INPUT -j DROP 
 + 
 + 
 +# OUTPUT 
 + 
 +$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT 
 +$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT 
 + 
 + for icmptype in 133 134 135 136 137 
 + do 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 + done 
 + 
 +# Allow RFC 4890 but with rate-limiting 
 + for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 
 + do 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT 
 + done
  
-##ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute+list the rules 
 +$IP6TB ---
 +</code>
linux/firewall6.1227863326.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready