(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
#!/bin/bash
# Original source: https://www.sixxs.net/wiki/IPv6_Firewalling
IFACE_INTERNAL="eth0"
IFACE_TUNNEL="sixxs"
SUBNET_PREFIX="<je subnet hier, zonder trailing ::>"
SUBNET="$SUBNET_PREFIX::/64"
# Hosts zijn makkelijk nu te definiëren als volgend:
HOST1="$SUBNET_PREFIX::1"
# First, delete all:
ip6tables -F
ip6tables -X
# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow anything out on the internet
ip6tables -A OUTPUT -o $IFACE_TUNNEL -j ACCEPT
# Allow established, related packets back in
ip6tables -A INPUT -i $IFACE_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow the localnet access us:
ip6tables -A INPUT -i $IFACE_INTERNAL -j ACCEPT
ip6tables -A OUTPUT -o $IFACE_INTERNAL -j ACCEPT
# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
# Allow ICMPv6 everywhere
ip6tables -I INPUT -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT
# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -i $IFACE_INTERNAL -o $IFACE_TUNNEL -s $SUBNET -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Hier moet je goed opletten, als je toegang wilt geven aan de computer waar de tunnel op staat, gebruik je de INPUT regel, zo niet, dan de FORWARD regel.
# HTTP in
ip6tables -A FORWARD -i $IFACE_TUNNEL -p tcp --dport 80 -d $HOST1 -j ACCEPT
# SSH in
ip6tables -A FORWARD -i $IFACE_TUNNEL -p tcp --dport 22 -d $HOST1 -j ACCEPT
# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP