-
-
Save peterwillcn/88a30cb25cd89865a7b8953e1dc41912 to your computer and use it in GitHub Desktop.
AFWall+ (and any other iptables firewall IPv6v6 fix at startup)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is an startup script example, how IPv6 should | |
# looks like, if not you will get some seriously | |
# problems. | |
# Some options may not work on your OS. | |
# ICMPv6 Stastics (optional) | |
# icmpv6_stats | |
# Optional may not work on all systems | |
ipset flush dns6 | |
ipset destroy dns6 | |
ipset -! create dns6 hash:ip family inet6 | |
ipset add dns6 2001:4860:4860::8888 | |
ipset add dns6 2001:4860:4860::8844 | |
ipset add dns6 2620:0:ccc::2 | |
ipset add dns6 2620:0:ccd::2 | |
# Default should be DROP (always) | |
ip6tables -P INPUT DROP | |
ip6tables -P OUTPUT ACCEPT | |
ip6tables -P FORWARD DROP | |
# Accept only stuff that is necassary | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A INPUT -s fe80::/10 -j ACCEPT | |
ip6tables -A INPUT -d ff00::/8 -j ACCEPT | |
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG | |
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
#... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here... | |
# replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2 | |
# to allow DNS | |
#ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT | |
#ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT | |
ip6tables -I OUTPUT -o br-lan -p udp -m set --match-set dns6 dst --dport 53 -j ACCEPT | |
ip6tables -I INPUT -i br-lan -p udp -m set --match-set dns6 src --sport 53 -j ACCEPT | |
#ip6tables -I INPUT -i br-lan -m set --match-set dns src -j ACCEPT | |
#ip6tables -I OUTPUT -o br-lan -m set --match-set dns dst -j ACCEPT | |
# Allow DHCPv6 configuration | |
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT | |
ip6tables -A FORWARD -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT | |
# Allow forwarding | |
#ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth0.2 -j ACCEPT | |
#ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth0.2 -j ACCEPT | |
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
#ip6tables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j DSCP --set-dscp-class ef | |
#ip6tables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j DSCP --set-dscp-class eftables DROP]:' | |
#ip6tables -A DROP_LOG -j REJECT --reject-with icmp6-port-unreachable | |
# And.. importantly.. | |
# replace your:gateway:ip with your gateway (of wanted - but important for icmpv6) | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT # Destination unreachable | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT # Packet too big | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT # Time exceeded | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT # Parameter problem | |
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT | |
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT | |
# You *will* need the above accepts regardless since your default policy | |
# is DROP, if not, you may find ipv6 reachable problems, in fact, you may | |
# not even be able to connect outbound without types 135/136 (neighbour discovery)! | |
# Doing statistics on icmp6 (optional) | |
ip6tables -A OUTPUT -p 58 -j ICMP6_STATS | |
ip6tables -A FORWARD -p 58 -j ICMP6_STATS | |
# Stealth Scans etc. DROPen | |
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | |
# Drop packets with routing header type 0 and any remaining segments (more than 0) | |
# deprecating RFC: http://www.ietf.org/rfc/rfc5095.txt | |
ip6tables -A INPUT -m rt --rt-type 0 -j DROP | |
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP | |
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP | |
# Allow anything on the local link | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A OUTPUT -o lo -j ACCEPT | |
# Allow anything out on the internet | |
ip6tables -A OUTPUT -o eth0.2 -j ACCEPT | |
# Allow Link-Local addresses | |
ip6tables -A INPUT -s fe80::/10 -j ACCEPT | |
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT | |
# Allow multicast | |
ip6tables -A INPUT -s ff00::/8 -j ACCEPT | |
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT | |
# Allow ICMP (such as SLAAC, etc) | |
#ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT | |
# Block facebook.com | |
#ip6tables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP | |
#ip6tables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP | |
#ip6tables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment