A few days ago I asked about suggestions for IPv6. here is what I came
up with from bits pinched from the Internet
the linux IPv6 HOWTo is a useful resource
http://tldp.org/HOWTO/Linux+IPv6-HOWTO/index.html
The actual firewall I came up with looks like this at the moment and I
would welcome any comments & suggestions on it. I am sure that there are
things I am doing wrong or have forgotten about.
At some stage I am going to revise this shortly to have a couple of
logging chains so that I can see exactly what is getting dropped.
this is written for a kernel that does not support statefull filtering
and is run as a bash script called by the script that brings up the IPv6
Interfaces on boot.from
One interesting thing is that because IPv6 Space is so vast I have yet
to see ANY scan attempts. It's not surprising but is an area where
things are very different from IPv4
#!/bin/bash
# IPv6 Firewall stuff
#Variables
GO6="si+"
WAN="eth0"
LAN="eth1"
NET="2001:xxx:xxx::/48"
POP="2001:xxx:xxx:xx::1"
TUN="2001:xxx:xxx:xx::2"
# IPv6
# Clear Old Rules
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
# Default policies
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# localhost rules
ip6tables -A INPUT -s ::1 -j ACCEPT
ip6tables -A OUTPUT -s ::1 -j ACCEPT
# ICMPv6 Rules
# Allow all ICMP traffic but we rate limit
ip6tables -A INPUT -i $GO6 -p icmpv6 -j ACCEPT --match limit --limit 240/minute
ip6tables -A INPUT -i !$GO6 -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -i $GO6 -p icmpv6 -j ACCEPT --match limit --limit 600/minute
ip6tables -A FORWARD -i $LAN -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
#
#Input Rules
# Local lan to this box is ok
ip6tables -A INPUT -i $LAN -j ACCEPT
#Services this box offers to the outside
ip6tables -A INPUT -i $GO6 -p tcp --dport 22 -j ACCEPT #ssh
ip6tables -A INPUT -i $GO6 -p tcp --dport 81 -j ACCEPT #CC web interface
# Privileged ports not covered above
ip6tables -A INPUT -i $GO6 -p tcp --dport 0:1023 -j DROP
ip6tables -A INPUT -i $GO6 -p udp --dport 0:1023 -j DROP
# Deny new connection attempts to this box if not explicitly allowed above
ip6tables -A INPUT -i $GO6 -p tcp --syn -j DROP
#Deny Local UDP inwards to this box from Internet for internal ports
ip6tables -A INPUT -i $GO6 -p udp ! --dport 32768:60999 -j DROP
# Allow all traffic > 1023
ip6tables -A INPUT -i $GO6 -p tcp -j ACCEPT
ip6tables -A INPUT -i $GO6 -p udp -j ACCEPT
#
#Forward Rules
# Allow access from certain ports and deny the rest
# ip6tables -A FORWARD -i $GO6 -p tcp --dport 22 -j ACCEPT #ssh
# Block privileged ports, put stuff we want open before this
ip6tables -A FORWARD -i $GO6 -p tcp --dport 0:1023 -j DROP
ip6tables -A FORWARD -i $GO6 -p udp --dport 0:1023 -j DROP
#deny new inbound tcp connection attempts to LAN addresses unless allowed
ip6tables -A FORWARD -i $GO6 -p tcp --syn -j DROP
#deny Local UDP inwards to LAN
ip6tables -A FORWARD -i $GO6 -p udp ! --dport 32768:60999 -j DROP
# Allow all other traffic > 1023
ip6tables -A FORWARD -i $GO6 -p tcp -j ACCEPT
ip6tables -A FORWARD -i $GO6 -p udp -j ACCEPT
# Allow forwarding outbound traffic from our nets but no martians or link locals
ip6tables -A FORWARD -i ! $GO6 -s $NET -j ACCEPT
#
#Outwards allow our nets to go out, this should catch all martians too
#
ip6tables -A OUTPUT -o $GO6 -s $NET -j ACCEPT
ip6tables -A OUTPUT -o $GO6 -s $TUN -j ACCEPT
ip6tables -A OUTPUT -o $LAN -j ACCEPT
#Multicast
ip6tables -A OUTPUT -d ff02::/16 -j ACCEPT
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
