Differences

This shows you the differences between two versions of the page.

--- linux:firewall6 [2010/01/05 15:58]
greebo
+++ linux:firewall6 [2012/10/19 09:39] (current)
zagi
@@ Line 12: / Line 12: @@
 # path to ip6tables
-IPT6="/sbin/ip6tables"
+IP6TB="/sbin/ip6tables"
 # name of our Internet and intranet interfaces
@@ Line 25: / Line 24: @@
 # what TCP ports/services we allow (and FORWARD) from Internet
 # use " " as delimiter
-TCP_PORTS="25 53 80"
+TCP_PORTS="25 53 993"
 # what UDP ports/services we allow (and FORWARD) from Internet
@@ Line 33: / Line 32: @@
 # which ports we forward into our intranet
 # use "," as delimiter
-FWD_TCP_PORTS="1214,6346"
+#FWD_TCP_PORTS="1214,6346"
 TRUSTED_HOSTS="2001:470:1f15:404::3 \
@@ Line 40: / Line 39: @@
 #IPv6 forward
 echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
 # first we flush the tables and policy
-$IPT6 -F
+$IP6TB -F
-$IPT6 -X
+$IP6TB -X
-$IPT6 -F INPUT
+$IP6TB -F INPUT
-$IPT6 -F FORWARD
+$IP6TB -F FORWARD
-$IPT6 -F OUTPUT
+$IP6TB -F OUTPUT
-$IPT6 -t nat -F
+# default policy
+$IP6TB -P INPUT DROP
+$IP6TB -P OUTPUT DROP
+$IP6TB -P FORWARD DROP
 # separate/new queue
-$IPT6 -N ssh-access
+$IP6TB -N ssh-access
-$IPT6 -N http-access
+$IP6TB -N http-access
 # port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
+#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
+#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
-#$IPT6 -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25
+#$IP6TB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 25 -j REDIRECT --to-ports 25
-# default policy
-$IPT6 -P INPUT DROP
-$IPT6 -P OUTPUT DROP
-$IPT6 -P FORWARD DROP
 # we allow all traffic from $INTRANET and localhost interfaces
-##$IPT6 -A INPUT -i $INTRANET -j ACCEPT
+##$IP6TB -A INPUT -i $INTRANET -j ACCEPT
-$IPT6 -A INPUT -i lo -j ACCEPT
+$IP6TB -A INPUT -i lo -j ACCEPT
+$IP6TB -A OUTPUT -o lo -j ACCEPT
 # Allow full outgoing connection but no incomming stuff
-$IPT6 -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IP6TB -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
 #
-$IPT6 -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+$IP6TB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP!
+# Allow localhost traffic. This rule is for all protocols.
-# it is wise to use sshaccess input table (TRUSTED_HOSTS)
+$IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT
-#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
-#$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
+# Allow Link-Local addresses
+$IP6TB -A INPUT -s fe80::/10 -j ACCEPT
-$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
+$IP6TB -A OUTPUT -s fe80::/10 -j ACCEPT
-$IPT6 -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
+$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
+$IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
 # ssh
+# Connection limit for SSH connections (1 connection per minute from one source IP)
+# usefull agains ssh scanners if you MUST open SSH for every IP!
+# TRUSTED_HOSTS are whitelisted
 for sshhostese in $TRUSTED_HOSTS;
         do
-        $IPT6 -A ssh-access -s $sshhostese -j ACCEPT
+        $IP6TB -A ssh-access -s $sshhostese -j ACCEPT
         done
+$IP6TB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
+$IP6TB -A ssh-access -j DROP
 # ssh
@@ Line 93: / Line 98: @@
 for httphostese in $TRUSTED_HOSTS;
         do
-        $IPT6 -A http-access -s $httphostese -j ACCEPT
+        $IP6TB -A http-access -s $httphostese -j ACCEPT
         done
 # http
@@ Line 100: / Line 105: @@
 for i in $TCP_PORTS
 	do
-		$IPT6 -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
+		$IP6TB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
     done
-$IPT6 -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
+$IP6TB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
 # identd requests
-$IPT6 -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+$IP6TB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 # traceroute?
-$IPT6 -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
+$IP6TB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
+# Recommended, but unsupported on older kernels
+$IP6TB -A INPUT  -m rt --rt-type 0 -j DROP
+$IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP
+$IP6TB -A FORWARD -m rt --rt-type 0 -j DROP
-# allow incoming ICMP ping pong stuff
+# Allow but rate-limit echo request/reply
-$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT
+$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
-# allow outgoing ICMP ping pong stuff
+$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT
-$IPT6 -A OUTPUT -p ipv6-icmp -j ACCEPT
-##$IPT6  -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
+# Allow router advertisements on local network segments
+ for icmptype in 133 134 135 136 137
+ do
+  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+ done
+# Allow RFC 4890 but with rate-limiting
+ #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152
+ for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153
+ do
+  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+ done
+# Log all other icmpv6 types
+$IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6"
+#reject
+$IP6TB -A INPUT -i $INTERNET -p tcp -m state --syn --state NEW -m multiport --dports 113,1080,3128,8080 -j REJECT
+$IP6TB -A INPUT -i $INTERNET -p udp -m multiport --dports  113 -j REJECT
-#### no need to edit below ###
 # log everything else
-$IPT6 -A INPUT -j LOG
+$IP6TB -A INPUT -j LOG
-$IPT6 -A INPUT -j DROP
+$IP6TB -A INPUT -j DROP
-# list the rules
-$IPT6 -L -v -n
+# OUTPUT
+$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
+$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT
+ for icmptype in 133 134 135 136 137
+ do
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+ done
+# Allow RFC 4890 but with rate-limiting
+ for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152
+ do
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+ done
+# list the rules
+$IP6TB -L -v -n
 </code>