This wiki has been archived and made read-only.
For up-to-date information about TkkrLab and it's projects please visit our main website at tkkrlab.nl.

IPv6 firewall script

From

Revision as of 16:23, 30 October 2012 by Jawsper (Talk | contribs) (Weer iets geleerd.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
#!/bin/bash

# Original source: https://www.sixxs.net/wiki/IPv6_Firewalling

IFACE_INTERNAL="eth0"
IFACE_TUNNEL="sixxs"

SUBNET_PREFIX="<je subnet hier, zonder trailing ::>"
SUBNET="$SUBNET_PREFIX::/64"

# Hosts zijn makkelijk nu te definiëren als volgend:
HOST1="$SUBNET_PREFIX::1"

# First, delete all:
ip6tables -F
ip6tables -X

# Allow anything on the local link
ip6tables -A INPUT   -i lo -j ACCEPT
ip6tables -A OUTPUT  -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT  -o $IFACE_TUNNEL -j ACCEPT
# Allow established, related packets back in
ip6tables -A INPUT   -i $IFACE_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
ip6tables -A INPUT   -i $IFACE_INTERNAL   -j ACCEPT
ip6tables -A OUTPUT  -o $IFACE_INTERNAL   -j ACCEPT

# Filter all packets that have RH0 headers:
ip6tables -A INPUT   -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT  -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
ip6tables -A INPUT   -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT  -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT   -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT  -d ff00::/8 -j ACCEPT

# Allow ICMPv6 everywhere
ip6tables -I INPUT   -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT  -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT

# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -i $IFACE_INTERNAL -o $IFACE_TUNNEL -s $SUBNET -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Hier moet je goed opletten, als je toegang wilt geven aan de computer waar de tunnel op staat, gebruik je de INPUT regel, zo niet, dan de FORWARD regel.
# HTTP in
ip6tables -A FORWARD -i $IFACE_TUNNEL -p tcp --dport 80 -d $HOST1 -j ACCEPT
# SSH in
ip6tables -A FORWARD -i $IFACE_TUNNEL -p tcp --dport 22 -d $HOST1 -j ACCEPT

# Set the default policy
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP