myxal/ip-route-TODO

## ip-route-TODO
# See https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html
# - not everything from there actually works (from and to don't work with blackhole)

# ip route add blackhole ::ffff:0:0/96

## ipset-TODO
## TODO - See what format ipset-persistent uses and transform these into that (probably another file)
########
ipset -N FW_FORBIDDEN_ANY nethash
ipset -A FW_FORBIDDEN_ANY 2001:db8::/32
ipset -A FW_FORBIDDEN_ANY fec0::/10
ipset -A FW_FORBIDDEN_ANY ::ffff/96
ipset -A FW_FORBIDDEN_ANY ::/96
ipset -A FW_FORBIDDEN_ANY 2001:10::/28
ipset -A FW_FORBIDDEN_ANY fc00::/7

ipset -N FW_FORBIDDEN_OUT nethash

## rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:60]
:OUTPUT ACCEPT [69:7421]
-A INPUT -i lan0 -j ACCEPT
-A INPUT -i wan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-N FW_LAN2WAN
-A FW_LAN2WAN -j ACCEPT
-N FW_WAN2LAN
-A FW_WAN2LAN -s <internal_prefix> -j DROP
-A FW_WAN2LAN -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
-A FW_WAN2LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW_WAN2LAN -p tcp -m tcp --dport 22 -j ACCEPT
-A FW_WAN2LAN -p udp -m udp --dport 1024:49151 -j ACCEPT
-A FW_WAN2LAN -p tcp -m tcp --dport 1024:49151 -j ACCEPT
# shortcut for known-good packets, avoid the bogon rule
-A FORWARD -i lan0 -s <internal_prefix> -o wan0 -d 2000::/3 -j FW_LAN2WAN
-A FORWARD -i wan0 -s 2000::/3 -o lan0 -d 2000::/3 -j FW_LAN2WAN
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
-A FORWARD -s ff00::/8 -j DROP
# The dst part can be omitted if bogons are null-routed (TODO)
-A FORWARD -m set --set FW_FORBIDDEN_ANY src,dst -j DROP
-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
-A FORWARD -i lan0 -o wan0 -j FW_LAN2WAN
-A OUTPUT -s ff00::/8 -j DROP

COMMIT
	# See https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html
	# - not everything from there actually works (from and to don't work with blackhole)

	# ip route add blackhole ::ffff:0:0/96
	## TODO - See what format ipset-persistent uses and transform these into that (probably another file)
	########
	ipset -N FW_FORBIDDEN_ANY nethash
	ipset -A FW_FORBIDDEN_ANY 2001:db8::/32
	ipset -A FW_FORBIDDEN_ANY fec0::/10
	ipset -A FW_FORBIDDEN_ANY ::ffff/96
	ipset -A FW_FORBIDDEN_ANY ::/96
	ipset -A FW_FORBIDDEN_ANY 2001:10::/28
	ipset -A FW_FORBIDDEN_ANY fc00::/7

	ipset -N FW_FORBIDDEN_OUT nethash
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [1:60]
	:OUTPUT ACCEPT [69:7421]
	-A INPUT -i lan0 -j ACCEPT
	-A INPUT -i wan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
	-N FW_LAN2WAN
	-A FW_LAN2WAN -j ACCEPT
	-N FW_WAN2LAN
	-A FW_WAN2LAN -s <internal_prefix> -j DROP
	-A FW_WAN2LAN -p ipv6-icmp -m limit --limit 900/min -j ACCEPT
	-A FW_WAN2LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FW_WAN2LAN -p tcp -m tcp --dport 22 -j ACCEPT
	-A FW_WAN2LAN -p udp -m udp --dport 1024:49151 -j ACCEPT
	-A FW_WAN2LAN -p tcp -m tcp --dport 1024:49151 -j ACCEPT
	# shortcut for known-good packets, avoid the bogon rule
	-A FORWARD -i lan0 -s <internal_prefix> -o wan0 -d 2000::/3 -j FW_LAN2WAN
	-A FORWARD -i wan0 -s 2000::/3 -o lan0 -d 2000::/3 -j FW_LAN2WAN
	-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
	-A FORWARD -s ff00::/8 -j DROP
	# The dst part can be omitted if bogons are null-routed (TODO)
	-A FORWARD -m set --set FW_FORBIDDEN_ANY src,dst -j DROP
	-A FORWARD -i wan0 -o lan0 -j FW_WAN2LAN
	-A FORWARD -i lan0 -o wan0 -j FW_LAN2WAN
	-A OUTPUT -s ff00::/8 -j DROP

	COMMIT