RiFi2k · May 14, 2017 19:57
diff --git a/iptables.v6.rules b/iptables.v6.rules
 *filter

 # Base policy
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]

 # Don't attempt to firewall internal traffic on the loopback device.
 -A INPUT -i lo -j ACCEPT

 # Continue connections that are already established or related to an established 
 # connection.
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 # Drop non-conforming packets, such as malformed headers, etc.
 -A INPUT -m conntrack --ctstate INVALID -j DROP

 # Block remote packets claiming to be from a loopback address.
 -A INPUT -s ::1/128 ! -i lo -j DROP

 # Chain for preventing SSH brute-force attacks.
 # Permits 10 new connections within 5 minutes from a single host then drops 
 # incomming connections from that host. Beyond a burst of 100 connections we 
 # log at up 1 attempt per second to prevent filling of logs.
 -N SSHBRUTE
 -A SSHBRUTE -m recent --name SSH --set
 -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
 -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
 -A SSHBRUTE -j ACCEPT

 # Chain for preventing ping flooding - up to 6 pings per second from a single 
 # source, again with log limiting. Also prevents us from ICMP REPLY flooding 
 # some victim when replying to ICMP ECHO from a spoofed source.
 -N ICMPFLOOD
 -A ICMPFLOOD -m recent --set --name ICMP --rsource
 -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
 -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
 -A ICMPFLOOD -j ACCEPT


 ###############################################################################
 # 2. HOST SPECIFIC RULES                                                      #
 #                                                                             #
 # This section is a good place to enable your host-specific services.         #
 ###############################################################################

 # Accept HTTP and HTTPS
 #-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT


 ###############################################################################
 # 3. GENERAL RULES                                                            #
 #                                                                             #
 # This section contains general rules that should be suitable for most hosts. #
 ###############################################################################

 # Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
 # brute-force attacks.
 -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE

 # Permit needed ICMP packet types for IPv6 per RFC 4890.
 -A INPUT              -p ipv6-icmp --icmpv6-type 1   -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 2   -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 3   -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 4   -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
 -A INPUT              -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
 -A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT

 # Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping 
 # flooding.
 -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD

 # Do not log packets that are going to ports used by SMB
 # (Samba / Windows Sharing).
 -A INPUT -p udp -m multiport --dports 135,445 -j DROP
 -A INPUT -p udp --dport 137:139 -j DROP
 -A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
 -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP

 # Do not log packets that are going to port used by UPnP protocol.
 -A INPUT -p udp --dport 1900 -j DROP

 # Do not log late replies from nameservers.
 -A INPUT -p udp --sport 53 -j DROP

 # Good practise is to explicately reject AUTH traffic so that it fails fast.
 -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

 # Prevent DOS by filling log files.
 -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "

 COMMIT
	*filter

	# Base policy
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]

	# Don't attempt to firewall internal traffic on the loopback device.
	-A INPUT -i lo -j ACCEPT

	# Continue connections that are already established or related to an established
	# connection.
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

	# Drop non-conforming packets, such as malformed headers, etc.
	-A INPUT -m conntrack --ctstate INVALID -j DROP

	# Block remote packets claiming to be from a loopback address.
	-A INPUT -s ::1/128 ! -i lo -j DROP

	# Chain for preventing SSH brute-force attacks.
	# Permits 10 new connections within 5 minutes from a single host then drops
	# incomming connections from that host. Beyond a burst of 100 connections we
	# log at up 1 attempt per second to prevent filling of logs.
	-N SSHBRUTE
	-A SSHBRUTE -m recent --name SSH --set
	-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
	-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
	-A SSHBRUTE -j ACCEPT

	# Chain for preventing ping flooding - up to 6 pings per second from a single
	# source, again with log limiting. Also prevents us from ICMP REPLY flooding
	# some victim when replying to ICMP ECHO from a spoofed source.
	-N ICMPFLOOD
	-A ICMPFLOOD -m recent --set --name ICMP --rsource
	-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
	-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
	-A ICMPFLOOD -j ACCEPT


	###############################################################################
	# 2. HOST SPECIFIC RULES #
	# #
	# This section is a good place to enable your host-specific services. #
	###############################################################################

	# Accept HTTP and HTTPS
	#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT


	###############################################################################
	# 3. GENERAL RULES #
	# #
	# This section contains general rules that should be suitable for most hosts. #
	###############################################################################

	# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
	# brute-force attacks.
	-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE

	# Permit needed ICMP packet types for IPv6 per RFC 4890.
	-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
	-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
	-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT

	# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping
	# flooding.
	-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD

	# Do not log packets that are going to ports used by SMB
	# (Samba / Windows Sharing).
	-A INPUT -p udp -m multiport --dports 135,445 -j DROP
	-A INPUT -p udp --dport 137:139 -j DROP
	-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
	-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP

	# Do not log packets that are going to port used by UPnP protocol.
	-A INPUT -p udp --dport 1900 -j DROP

	# Do not log late replies from nameservers.
	-A INPUT -p udp --sport 53 -j DROP

	# Good practise is to explicately reject AUTH traffic so that it fails fast.
	-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

	# Prevent DOS by filling log files.
	-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "

	COMMIT