Skip to content

Instantly share code, notes, and snippets.

Last active Mar 7, 2020
What would you like to do?
IPv6 home gateway firewall rules
# See
# - not everything from there actually works (from and to don't work with blackhole)
# ip route add blackhole ::ffff:0:0/96
## TODO - See what format ipset-persistent uses and transform these into that (probably another file)
ipset -N FW_FORBIDDEN_ANY nethash
ipset -A FW_FORBIDDEN_ANY 2001:db8::/32
ipset -A FW_FORBIDDEN_ANY fec0::/10
ipset -A FW_FORBIDDEN_ANY ::ffff/96
ipset -A FW_FORBIDDEN_ANY ::/96
ipset -A FW_FORBIDDEN_ANY 2001:10::/28
ipset -A FW_FORBIDDEN_ANY fc00::/7
ipset -N FW_FORBIDDEN_OUT nethash
:OUTPUT ACCEPT [69:7421]
-A INPUT -i lan0 -j ACCEPT
-A INPUT -i wan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A FW_WAN2LAN -s <internal_prefix> -j DROP
-A FW_WAN2LAN -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
-A FW_WAN2LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW_WAN2LAN -p tcp -m tcp --dport 22 -j ACCEPT
-A FW_WAN2LAN -p udp -m udp --dport 1024:49151 -j ACCEPT
-A FW_WAN2LAN -p tcp -m tcp --dport 1024:49151 -j ACCEPT
# shortcut for known-good packets, avoid the bogon rule
-A FORWARD -i lan0 -s <internal_prefix> -o wan0 -d 2000::/3 -j FW_LAN2WAN
-A FORWARD -i wan0 -s 2000::/3 -o lan0 -d 2000::/3 -j FW_LAN2WAN
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
-A FORWARD -s ff00::/8 -j DROP
# The dst part can be omitted if bogons are null-routed (TODO)
-A FORWARD -m set --set FW_FORBIDDEN_ANY src,dst -j DROP
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
-A FORWARD -i lan0 -o wan0 -j FW_LAN2WAN
-A OUTPUT -s ff00::/8 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment