[Gllug] IPv6 and firewalls
Alain Williams
addw at phcomp.co.uk
Tue Aug 11 09:48:30 UTC 2009
On Tue, Aug 11, 2009 at 09:45:35AM +0000, Chris Bell wrote:
> Hello,
> IPv6 is an available option, and I have been looking at IPv6 firewalling
> both for home and commercial use. I have to assume that some machines will
> not have any real internal protection, some may not even be IPv6 capable and
> will require additional routing, but there appear to be few "simple"
> firewall setups at present other than roll-your-own Linux or BSD.
> Am I correct?
I didn't look, rolling your own is not that hard.
Here is the (simple) IP6 firewall that I have on my bytemark box, enjoy.
Note that rate limiting has not (yet) been ported to IP6.
# Firewall for bytemark box
# IPv6
# SCCS: @(#)Ip6TablesRules 1.2 04/02/09 17:04:49
# Special IPs or ranges
OurIP=2001:41c8:1:5076::2
LocalHost=::1/128
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Flush (-F) all specific rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F -t mangle
ip6tables -N In_tcp # Incoming TCP connections here:
ip6tables -N In_udp # Incoming UDP connections here:
# ssh on this machine does not support IPv6
#ip6tables -N In_ssh # Incoming SSH connections here:
# **** Traffic from some interface to this machine ****
# Accept loopback traffic else all sorts of things don't work:
ip6tables -A INPUT -i lo -s $LocalHost -d $LocalHost -j ACCEPT
ip6tables -A INPUT -p tcp -j In_tcp
# Anything on going accept:
ip6tables -A In_tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A In_tcp -p TCP ! --syn -j ACCEPT
ip6tables -A In_tcp -p TCP --dport ftp -j ACCEPT
#ip6tables -A In_tcp -p TCP --dport ssh -j In_ssh # Process specially
ip6tables -A In_tcp -p TCP --dport http -j ACCEPT
ip6tables -A In_tcp -p TCP --dport https -j ACCEPT
ip6tables -A In_tcp -p TCP --dport smtp -j ACCEPT
ip6tables -A In_tcp -p TCP --dport cvspserver -j ACCEPT
ip6tables -A In_tcp -p TCP --dport domain -j ACCEPT
ip6tables -A In_tcp -p TCP --dport rsync -j ACCEPT
ip6tables -A In_tcp -j DROP
# SSH rate limit new connections to 3 in 3 minutes from any one address
#ip6tables -A In_ssh -m recent -m state --state NEW --hitcount 3 --seconds 180 --update -j DROP
#ip6tables -A In_ssh -m recent -m state --set --state NEW -j ACCEPT
# The recent module has not yet been ported to IPv6
# **** Now specify what udp we accept.
# Note that a UDP request will go out to a particular port, we need to accept a reply from that port.
ip6tables -A INPUT -p udp -j In_udp
ip6tables -A In_udp -p udp --dport domain -j ACCEPT
ip6tables -A In_udp -p udp --sport domain -j ACCEPT
ip6tables -A In_udp -p udp --dport snmp -j ACCEPT
ip6tables -A In_udp -p udp --sport snmp -j ACCEPT
ip6tables -A In_udp -p udp --dport ntp -j ACCEPT
ip6tables -A In_udp -p udp --sport ntp -j ACCEPT
ip6tables -A In_udp -j DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT # ping only from outside
# OpenVPN ignored
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list