Created
November 3, 2010 13:46
-
-
Save bartman/661085 to your computer and use it in GitHub Desktop.
simple ipv6 stateful firewall setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/network/if-pre-up.d/iptables | |
| #!/bin/sh | |
| for ip in ip ip6 ; do | |
| if [ -f /etc/default/${ip}tables ] ; then | |
| ${ip}tables-restore < /etc/default/${ip}tables | |
| fi | |
| done | |
| $ cat /etc/default/ip6tables | |
| # Generated by iptables-save v1.4.4 on Tue Oct 27 10:11:58 2009 | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [15:780] | |
| :block - [0:0] | |
| :serv - [0:0] | |
| :new - [0:0] | |
| # | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -j block | |
| # | |
| # enable this if you're using bridging for kvm, etc. | |
| -A FORWARD -i br0 -o br0 -j ACCEPT | |
| -A FORWARD -j block | |
| # | |
| -A block -p icmpv6 -j ACCEPT | |
| -A block -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A block -m state --state NEW -j new | |
| -A block -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "drop6: " | |
| -A block -j REJECT --reject-with icmp6-port-unreachable | |
| # | |
| -A new -i br0 -j serv | |
| -A new -i eth+ -j serv | |
| -A new -p udp --sport 5353 --dport 5353 -j ACCEPT | |
| # | |
| -A serv -p tcp --dport 22 -j ACCEPT | |
| -A serv -p udp --dport 3545 -j ACCEPT | |
| # | |
| COMMIT | |
| # Completed on Tue Oct 27 10:11:58 2009 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment