[[linux:firewall6]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:firewall6 [2009/07/03 08:49]
greebo 		linux:firewall6 [2012/10/19 09:39] (current)
zagi
Line 1: Line 1:
- 
 <code bash |> <code bash |>
 #!/bin/bash #!/bin/bash
-IPT6="/sbin/ip6tables+echo "*************
-PUBIF="eth0+echo "* Running $0
-echo "Starting IPv6 firewall...+echo "*************
-$IPT6 -F +  
-$IPT6 -X +echo " how iptables work in linux kernel" 
-$IPT6 -t mangle -F +echo 
-$IPT6 -t mangle -X+echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" 
 +echo " | |" 
 +echo " [input] >--->[output]" 
 +  
 +# path to ip6tables 
 +IP6TB="/sbin/ip6tables"
  
-#unlimited +name of our Internet and intranet interfaces 
-$IPT6 -A INPUT -i lo -j ACCEPT +# 
-$IPT6 -A OUTPUT -o lo -j ACCEPT+# use INTRANET="eth1+" or INTERNET="eth0+" 
 +# if you have more ifaces (example: eth0:0)  towards Intranet/Internet 
 +INTRANET="eth1" 
 +INTERNET="eth0" 
 +# ADSL INTERNET="ppp0"
  
-DROP all incomming traffic +what TCP ports/services we allow (and FORWARD) from Internet 
-$IPT6 -P INPUT DROP +# use " " as delimiter 
-$IPT6 -P OUTPUT DROP +TCP_PORTS="25 53 993" 
-$IPT6 -P FORWARD DROP+  
 +# what UDP ports/services we allow (and FORWARD) from Internet 
 +# use "," as delimiter 
 +UDP_PORTS="53" 
 +  
 +# which ports we forward into our intranet 
 +# use "," as delimiter 
 +#FWD_TCP_PORTS="1214,6346" 
 +  
 +TRUSTED_HOSTS="2001:470:1f15:404::3 \ 
 +2001:15c0:1000:1003:250:8dff:fef1:738e" 
 + 
 +#IPv6 forward  
 +echo "0" > /proc/sys/net/ipv6/conf/all/forwarding 
 + 
 +# first we flush the tables and policy 
 +$IP6TB -F 
 +$IP6TB -X 
 +$IP6TB -F INPUT 
 +$IP6TB -F FORWARD 
 +$IP6TB -F OUTPUT 
 +  
 +# default policy 
 +$IP6TB -P INPUT DROP 
 +$IP6TB -P OUTPUT DROP 
 +$IP6TB -P FORWARD DROP 
 + 
 +# separate/new queue 
 +$IP6TB -N ssh-access 
 +$IP6TB -N http-access 
 + 
 +# port redirection (transparent proxy) 
 +# redirect all outgoing traffic that is NOT for the GW to local (GW) ports 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT 
 +#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 
 + 
 +# we allow all traffic from $INTRANET and localhost interfaces 
 +##$IP6TB -A INPUT -i $INTRANET -j ACCEPT 
 +$IP6TB -A INPUT -i lo -j ACCEPT 
 +$IP6TB -A OUTPUT -o lo -j ACCEPT
  
 # Allow full outgoing connection but no incomming stuff # Allow full outgoing connection but no incomming stuff
-$IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT +$IP6TB -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
-$IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT+#   
 +$IP6TB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  
-# allow incoming ICMP ping pong stuff +Allow localhost traffic. This rule is for all protocols. 
-$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT +$IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT 
-$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT+ 
 +# Allow Link-Local addresses 
 +$IP6TB -A INPUT -s fe80::/10 -j ACCEPT 
 +$IP6TB -A OUTPUT -s fe80::/10 -j ACCEPT 
 + 
 +$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access 
 +$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access 
 + 
 +# ssh 
 +# Connection limit for SSH connections (1 connection per minute from one source IP) 
 +# usefull agains ssh scanners if you MUST open SSH for every IP! 
 +# TRUSTED_HOSTS are whitelisted 
 +for sshhostese in $TRUSTED_HOSTS; 
 +        do 
 +        $IP6TB -A ssh-access -s $sshhostese -j ACCEPT 
 +        done 
 +$IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT 
 +$IP6TB -A ssh-access -j DROP 
 + 
 +# ssh 
 +  
 +# http 
 +for httphostese in $TRUSTED_HOSTS; 
 +        do 
 +        $IP6TB -A http-access -s $httphostese -j ACCEPT 
 +        done 
 +# http 
 + 
 +# what we allow from Internet 
 +for i in $TCP_PORTS 
 + do 
 + $IP6TB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT 
 +    done 
 +  
 +$IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT 
 + 
 +# identd requests 
 +$IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 
 + 
 +# traceroute? 
 +$IP6TB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
 + 
 +# Recommended, but unsupported on older kernels 
 +$IP6TB -A INPUT  -m rt --rt-type 0 -j DROP 
 +$IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP 
 +$IP6TB -A FORWARD -m rt --rt-type 0 -j DROP 
 + 
 +# Allow but rate-limit echo request/reply 
 +$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT 
 +$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT 
 + 
 +# Allow router advertisements on local network segments 
 + for icmptype in 133 134 135 136 137 
 + do 
 +  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 + done 
 + 
 +# Allow RFC 4890 but with rate-limiting 
 + #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 
 + 
 + for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153 
 + do 
 +  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT 
 + done 
 + 
 +# Log all other icmpv6 types 
 +$IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6" 
 + 
 + 
 +#reject 
 +$IP6TB -A INPUT -i $INTERNET -p tcp -m state --syn --state NEW -m multiport --dports 113,1080,3128,8080 -j REJECT 
 +$IP6TB -A INPUT -i $INTERNET -p udp -m multiport --dports  113 -j REJECT
  
-############# add your custom rules below ############ 
-$IPT6 -A INPUT -p tcp --destination-port 22 -j ACCEPT 
  
-#### no need to edit below ### 
 # log everything else # log everything else
-$IPT6 -A INPUT -j LOG +$IP6TB -A INPUT -j LOG 
-$IPT6 -A INPUT -j DROP+$IP6TB -A INPUT -j DROP 
 + 
 + 
 +# OUTPUT 
 + 
 +$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT 
 +$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT 
 + 
 + for icmptype in 133 134 135 136 137 
 + do 
 +  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT 
 + done
  
-##ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute+Allow RFC 4890 but with rate-limiting 
 + for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152 
 + do 
 +  $IP6TB -A OUTPUT -icmpv6 --icmpv6-type $icmptype -limit --limit 900/min -j ACCEPT 
 + done
  
 +# list the rules
 +$IP6TB -L -v -n
 </code> </code>
linux/firewall6.1246603777.txt.gz · Last modified: 2009/07/03 08:49 by greebo
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready