This is an old revision of the document!
#!/bin/bash echo "*************" echo "* Running $0" echo "*************" echo " how iptables work in linux kernel" echo echo ">-[prerouting]-> + >-[forward]-> + >-[postrouting]->" echo " | |" echo " [input] >--->[output]" # path to ip6tables IPT6="/sbin/ip6tables" # name of our Internet and intranet interfaces # # use INTRANET="eth1+" or INTERNET="eth0+" # if you have more ifaces (example: eth0:0) towards Intranet/Internet INTRANET="eth1" INTERNET="eth0" # ADSL - INTERNET="ppp0" # what TCP ports/services we allow (and FORWARD) from Internet # use " " as delimiter TCP_PORTS="25 53 80" # what UDP ports/services we allow (and FORWARD) from Internet # use "," as delimiter UDP_PORTS="53" # which ports we forward into our intranet # use "," as delimiter FWD_TCP_PORTS="1214,6346" TRUSTED_HOSTS="2001:470:1f15:404::3 \ 2001:15c0:1000:1003:250:8dff:fef1:738e" #IPv6 forward echo "0" > /proc/sys/net/ipv6/conf/all/forwarding # first we flush the tables and policy $IPT6 -F $IPT6 -X $IPT6 -F INPUT $IPT6 -F FORWARD $IPT6 -F OUTPUT $IPT6 -t nat -F # separate/new queue $IPT6 -N ssh-access $IPT6 -N http-access # port redirection (transparent proxy) # redirect all outgoing traffic that is NOT for the GW to local (GW) ports #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25 # default policy $IPT6 -P INPUT DROP $IPT6 -P OUTPUT DROP $IPT6 -P FORWARD DROP # we allow all traffic from $INTRANET and localhost interfaces ##$IPT6 -A INPUT -i $INTRANET -j ACCEPT $IPT6 -A INPUT -i lo -j ACCEPT # Allow full outgoing connection but no incomming stuff $IPT6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # $IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! # it is wise to use sshaccess input table (TRUSTED_HOSTS) #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT #$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access # ssh for sshhostese in $TRUSTED_HOSTS; do $IPT6 -A ssh-access -s $sshhostese -j ACCEPT done # ssh # http for httphostese in $TRUSTED_HOSTS; do $IPT6 -A http-access -s $httphostese -j ACCEPT done # http # what we allow from Internet for i in $TCP_PORTS do $IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT done $IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT # identd requests $IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset # traceroute? $IPT6 -A INPUT -p udp -m limit --limit 3/second --sport 32769:65535 --dport 33434:33523 -j ACCEPT # allow incoming ICMP ping pong stuff $IPT6 -A INPUT -p ipv6-icmp -j ACCEPT # allow outgoing ICMP ping pong stuff $IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT ##$IPT6 -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute #### no need to edit below ### # log everything else $IPT6 -A INPUT -j LOG $IPT6 -A INPUT -j DROP # list the rules $IPT6 -L -v -n