Last active
March 7, 2020 18:12
-
-
Save myxal/cab3007bb8b196907a3cb2b5416fff07 to your computer and use it in GitHub Desktop.
IPv6 home gateway firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html | |
# - not everything from there actually works (from and to don't work with blackhole) | |
# ip route add blackhole ::ffff:0:0/96 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## TODO - See what format ipset-persistent uses and transform these into that (probably another file) | |
######## | |
ipset -N FW_FORBIDDEN_ANY nethash | |
ipset -A FW_FORBIDDEN_ANY 2001:db8::/32 | |
ipset -A FW_FORBIDDEN_ANY fec0::/10 | |
ipset -A FW_FORBIDDEN_ANY ::ffff/96 | |
ipset -A FW_FORBIDDEN_ANY ::/96 | |
ipset -A FW_FORBIDDEN_ANY 2001:10::/28 | |
ipset -A FW_FORBIDDEN_ANY fc00::/7 | |
ipset -N FW_FORBIDDEN_OUT nethash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
:INPUT DROP [0:0] | |
:FORWARD DROP [1:60] | |
:OUTPUT ACCEPT [69:7421] | |
-A INPUT -i lan0 -j ACCEPT | |
-A INPUT -i wan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p ipv6-icmp -m limit --limit 900/min -j ACCEPT | |
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP | |
-N FW_LAN2WAN | |
-A FW_LAN2WAN -j ACCEPT | |
-N FW_WAN2LAN | |
-A FW_WAN2LAN -s <internal_prefix> -j DROP | |
-A FW_WAN2LAN -p ipv6-icmp -m limit --limit 900/min -j ACCEPT | |
-A FW_WAN2LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A FW_WAN2LAN -p tcp -m tcp --dport 22 -j ACCEPT | |
-A FW_WAN2LAN -p udp -m udp --dport 1024:49151 -j ACCEPT | |
-A FW_WAN2LAN -p tcp -m tcp --dport 1024:49151 -j ACCEPT | |
# shortcut for known-good packets, avoid the bogon rule | |
-A FORWARD -i lan0 -s <internal_prefix> -o wan0 -d 2000::/3 -j FW_LAN2WAN | |
-A FORWARD -i wan0 -s 2000::/3 -o lan0 -d 2000::/3 -j FW_LAN2WAN | |
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN | |
-A FORWARD -s ff00::/8 -j DROP | |
# The dst part can be omitted if bogons are null-routed (TODO) | |
-A FORWARD -m set --set FW_FORBIDDEN_ANY src,dst -j DROP | |
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN | |
-A FORWARD -i lan0 -o wan0 -j FW_LAN2WAN | |
-A OUTPUT -s ff00::/8 -j DROP | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment