Differences

This shows you the differences between two versions of the page.

--- linux:firewall6 [2011/03/28 17:36]
greebo
+++ linux:firewall6 [2012/10/19 09:39] (current)
zagi
@@ Line 12: / Line 12: @@
 # path to ip6tables
-IP6T="/sbin/ip6tables"
+IP6TB="/sbin/ip6tables"
 # name of our Internet and intranet interfaces
@@ Line 47: / Line 47: @@
 $IP6TB -F OUTPUT
-# reci ne natu!
-#$IP6TB -t nat -F
 # default policy
 $IP6TB -P INPUT DROP
@@ Line 68: / Line 65: @@
 ##$IP6TB -A INPUT -i $INTRANET -j ACCEPT
 $IP6TB -A INPUT -i lo -j ACCEPT
+$IP6TB -A OUTPUT -o lo -j ACCEPT
 # Allow full outgoing connection but no incomming stuff
@@ Line 73: / Line 71: @@
 #
 $IP6TB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+# Allow localhost traffic. This rule is for all protocols.
+$IP6TB -A INPUT -s ::1 -d ::1 -j ACCEPT
+# Allow Link-Local addresses
+$IP6TB -A INPUT -s fe80::/10 -j ACCEPT
+$IP6TB -A OUTPUT -s fe80::/10 -j ACCEPT
 $IP6TB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
@@ Line 111: / Line 116: @@
 $IP6TB -A INPUT -p udp -m limit --limit 3/second  --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-# allow incoming ICMP ping pong stuff
+# Recommended, but unsupported on older kernels
-$IP6TB -A INPUT -p ipv6-icmp -j ACCEPT
+$IP6TB -A INPUT  -m rt --rt-type 0 -j DROP
+$IP6TB -A OUTPUT -m rt --rt-type 0 -j DROP
+$IP6TB -A FORWARD -m rt --rt-type 0 -j DROP
-# allow outgoing ICMP ping pong stuff
+# Allow but rate-limit echo request/reply
-$IP6TB -A OUTPUT -p ipv6-icmp -j ACCEPT
+$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
+$IP6TB -A INPUT -i $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT
+# Allow router advertisements on local network segments
+ for icmptype in 133 134 135 136 137
+ do
+  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+ done
+# Allow RFC 4890 but with rate-limiting
+ #for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152
+ for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153
+ do
+  $IP6TB -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+ done
+# Log all other icmpv6 types
+$IP6TB -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6"
+#reject
+$IP6TB -A INPUT -i $INTERNET -p tcp -m state --syn --state NEW -m multiport --dports 113,1080,3128,8080 -j REJECT
+$IP6TB -A INPUT -i $INTERNET -p udp -m multiport --dports  113 -j REJECT
-##$IP6TB  -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
 # log everything else
 $IP6TB -A INPUT -j LOG
 $IP6TB -A INPUT -j DROP
+# OUTPUT
+$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
+$IP6TB -A OUTPUT -o $INTERNET -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT
+ for icmptype in 133 134 135 136 137
+ do
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
+ done
+# Allow RFC 4890 but with rate-limiting
+ for icmptype in 1 2 3 4 130 131 132 141 142 143 148 149 151 152
+ do
+  $IP6TB -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
+ done
 # list the rules
 $IP6TB -L -v -n
 </code>