IPv6 linux Firewall with subnet protection

Posted on by

Hi, this is my IPv6 firewall I use on Linux. Maybe you can do something with it:

#!/bin/bash

# DiNo, http://www.atoomnet.net/
IPTABLES="/sbin/ip6tables"

# Flush everything
echo "flush"
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -F
${IPTABLES} -X extIN
${IPTABLES} -X intIN
${IPTABLES} -X extOUT
${IPTABLES} -X intOUT
${IPTABLES} -X ext2int
${IPTABLES} -X int2ext

# Default Policies
echo "policies"
${IPTABLES} -t filter -P INPUT DROP
${IPTABLES} -t filter -P OUTPUT DROP
${IPTABLES} -t filter -P FORWARD DROP

#loopback can do everything
${IPTABLES} -A INPUT   -i lo -j ACCEPT
${IPTABLES} -A FORWARD -i lo -j ACCEPT
${IPTABLES} -A OUTPUT  -i lo -j ACCEPT

# chain of all public incoming ipv6 interfaces
echo "extIN"
${IPTABLES} -N extIN
${IPTABLES} -A INPUT -i sixxs   -j extIN
${IPTABLES} -A INPUT -i tun6to4 -j extIN

# chain of all public outgoing ipv6 interfaces
echo "extOUT"
${IPTABLES} -N extOUT
${IPTABLES} -A OUTPUT -o sixxs   -j extOUT
${IPTABLES} -A OUTPUT -o tun6to4 -j extOUT

# chain of all internal incoming ipv6 interfaces
echo "intIN"
${IPTABLES} -N intIN
${IPTABLES} -A INPUT -i bridge0  -j intIN
${IPTABLES} -A INPUT -i atoomnet -j intIN
${IPTABLES} -A INPUT -i tap0     -j intIN

# chain of all internal outgoing ipv6 interfaces
echo "intOUT"
${IPTABLES} -N intOUT
${IPTABLES} -A OUTPUT -o bridge0  -j intOUT
${IPTABLES} -A OUTPUT -o atoomnet -j intOUT
${IPTABLES} -A OUTPUT -o tap0     -j intOUT

# chain of external to internal forward interfaces
echo "ext2int"
${IPTABLES} -N ext2int
${IPTABLES} -A FORWARD -i sixxs -j ext2int
${IPTABLES} -A FORWARD -i tun6to4 -j ext2int

# chain of internal to external forward interfaces
echo "int2ext"
${IPTABLES} -N int2ext
${IPTABLES} -A FORWARD -i bridge0 -j int2ext

#logging
${IPTABLES} -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT_DROP:"
${IPTABLES} -A OUTPUT  -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT_DROP:"
${IPTABLES} -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "FORWARD_DROP:"

#Tha Rulez...

# allow all internal hosts to this server
echo "intIN rules"
${IPTABLES} -A intIN -j ACCEPT

# allow outgoing traffic to internal hosts
echo "intOUT rules"
${IPTABLES} -A intOUT -j ACCEPT

# allow outgoing traffic to external hosts
echo "extOUT rules"
${IPTABLES} -A extOUT -j ACCEPT

# allow incoming traffic
echo "extIN rules"
${IPTABLES} -A extIN -p tcp --dport 22 -j ACCEPT
${IPTABLES} -A extIN -p tcp --dport 80 -j ACCEPT
${IPTABLES} -A extIN -p tcp --dport 25 -j ACCEPT
${IPTABLES} -A extIN -p udp --dport 53 -j ACCEPT
${IPTABLES} -A extIN -p tcp --dport 53 -j ACCEPT
${IPTABLES} -A extIN -p tcp ! --syn -j ACCEPT
${IPTABLES} -A extIN -p icmpv6 -j ACCEPT --match limit --limit 30/minute
${IPTABLES} -A extIN -m limit --limit 10/minute -j LOG --log-prefix "extIN_DROP:"
${IPTABLES} -A extIN -j DROP

# allow all internal hosts to go play outside
echo "int2ext rules"
${IPTABLES} -A int2ext -j ACCEPT

# allow all external hosts to go inside
echo "ext2int rules"
${IPTABLES} -A ext2int -p tcp ! --syn -j ACCEPT
${IPTABLES} -A ext2int -p icmpv6 -j ACCEPT --match limit --limit 30/minute
${IPTABLES} -A ext2int -m limit --limit 10/minute -j LOG --log-prefix "ext2int_DROP:"
${IPTABLES} -A ext2int -j DROP

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>