danrl · May 21, 2024 22:53
diff --git a/ipv4-filter.sh b/ipv4-filter.sh
 #!/bin/bash

 echo -n "loading ipv4 packet filter... "

 ### clear tables
 iptables --flush
 iptables --delete-chain
 iptables --table mangle --flush
 iptables --table mangle --delete-chain


 ### default policies
 iptables --policy INPUT   DROP
 iptables --policy OUTPUT  DROP
 iptables --policy FORWARD DROP


 ### loopback
 iptables --append INPUT  --in-interface lo --jump ACCEPT
 iptables --append OUTPUT --out-interface lo --jump ACCEPT


 ### existing connections
 iptables --append INPUT  --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
 iptables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


 ### trashlog chain
 iptables --new-chain trashlog
 iptables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
 iptables --append trashlog --jump DROP


 ### invalid packets
 #iptables --append INPUT  --match conntrack --ctstate INVALID --jump trashlog
 iptables --append INPUT  --match conntrack --ctstate INVALID --jump DROP

 ### icmp
 # allow echo requests
 iptables --append INPUT  --protocol icmp --icmp-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
 # drop the rest
 iptables --append INPUT  --protocol icmp --jump DROP

 ### services
 # ssh
 iptables --append INPUT  --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
 # ssh obscured
 iptables --append INPUT  --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
 # random service
 #iptables --append INPUT  --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
 # reject the rest
 iptables --append INPUT  --jump REJECT

 ### outgoing
 iptables --append OUTPUT --jump ACCEPT

 echo "done!"
diff --git a/ipv6-filter.sh b/ipv6-filter.sh
 #!/bin/bash

 echo -n "loading ipv6 packet filter... "

 ### clear tables
 ip6tables --flush
 ip6tables --delete-chain
 ip6tables --table mangle --flush
 ip6tables --table mangle --delete-chain


 ### default policies
 ip6tables --policy INPUT   DROP
 ip6tables --policy OUTPUT  DROP
 ip6tables --policy FORWARD DROP


 ### loopback
 ip6tables --append INPUT  --in-interface lo --jump ACCEPT
 ip6tables --append OUTPUT --out-interface lo --jump ACCEPT


 ### existing connections
 ip6tables --append INPUT  --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
 ip6tables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


 ### trashlog chain
 ip6tables --new-chain trashlog
 ip6tables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
 ip6tables --append trashlog --jump DROP


 ### invalid packets
 #ip6tables --append INPUT  --match conntrack --ctstate INVALID --jump trashlog
 ip6tables --append INPUT  --match conntrack --ctstate INVALID --jump DROP

 ### bad extensions headers
 ip6tables --append INPUT  --match rt --rt-type 0 --jump DROP

 ### icmpv6
 # allow neighbor discovery and stateless address autoconfiguration
 ip6tables --new-chain ndp-slaac
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-solicitation    --match hl --hl-eq 255 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-advertisement   --match hl --hl-eq 255 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-solicitation  --match hl --hl-eq 255 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-advertisement --match hl --hl-eq 255 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type redirect               --match hl --hl-eq 255 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 130 --match hl --hl-eq 1 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 131 --match hl --hl-eq 1 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 132 --match hl --hl-eq 1 --jump ACCEPT
 ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 143 --match hl --hl-eq 1 --jump ACCEPT
 ip6tables --append INPUT  --protocol icmpv6 --jump ndp-slaac
 # allow echo requests
 ip6tables --append INPUT  --protocol icmpv6 --icmpv6-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
 # drop the rest
 ip6tables --append INPUT  --protocol icmpv6 --jump DROP

 ### services
 # ssh
 ip6tables --append INPUT  --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
 # ssh obscured
 ip6tables --append INPUT  --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
 # random service
 #ip6tables --append INPUT  --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
 # reject the rest
 ip6tables --append INPUT  --jump REJECT

 ### outgoing
 ip6tables --append OUTPUT --jump ACCEPT

 echo "done!"
	#!/bin/bash

	echo -n "loading ipv4 packet filter... "

	### clear tables
	iptables --flush
	iptables --delete-chain
	iptables --table mangle --flush
	iptables --table mangle --delete-chain


	### default policies
	iptables --policy INPUT DROP
	iptables --policy OUTPUT DROP
	iptables --policy FORWARD DROP


	### loopback
	iptables --append INPUT --in-interface lo --jump ACCEPT
	iptables --append OUTPUT --out-interface lo --jump ACCEPT


	### existing connections
	iptables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
	iptables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


	### trashlog chain
	iptables --new-chain trashlog
	iptables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
	iptables --append trashlog --jump DROP


	### invalid packets
	#iptables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
	iptables --append INPUT --match conntrack --ctstate INVALID --jump DROP

	### icmp
	# allow echo requests
	iptables --append INPUT --protocol icmp --icmp-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
	# drop the rest
	iptables --append INPUT --protocol icmp --jump DROP

	### services
	# ssh
	iptables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
	# ssh obscured
	iptables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
	# random service
	#iptables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
	# reject the rest
	iptables --append INPUT --jump REJECT

	### outgoing
	iptables --append OUTPUT --jump ACCEPT

	echo "done!"
	#!/bin/bash

	echo -n "loading ipv6 packet filter... "

	### clear tables
	ip6tables --flush
	ip6tables --delete-chain
	ip6tables --table mangle --flush
	ip6tables --table mangle --delete-chain


	### default policies
	ip6tables --policy INPUT DROP
	ip6tables --policy OUTPUT DROP
	ip6tables --policy FORWARD DROP


	### loopback
	ip6tables --append INPUT --in-interface lo --jump ACCEPT
	ip6tables --append OUTPUT --out-interface lo --jump ACCEPT


	### existing connections
	ip6tables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
	ip6tables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


	### trashlog chain
	ip6tables --new-chain trashlog
	ip6tables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
	ip6tables --append trashlog --jump DROP


	### invalid packets
	#ip6tables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
	ip6tables --append INPUT --match conntrack --ctstate INVALID --jump DROP

	### bad extensions headers
	ip6tables --append INPUT --match rt --rt-type 0 --jump DROP

	### icmpv6
	# allow neighbor discovery and stateless address autoconfiguration
	ip6tables --new-chain ndp-slaac
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-solicitation --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-advertisement --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-solicitation --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-advertisement --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type redirect --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 130 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 131 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 132 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 143 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append INPUT --protocol icmpv6 --jump ndp-slaac
	# allow echo requests
	ip6tables --append INPUT --protocol icmpv6 --icmpv6-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
	# drop the rest
	ip6tables --append INPUT --protocol icmpv6 --jump DROP

	### services
	# ssh
	ip6tables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
	# ssh obscured
	ip6tables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
	# random service
	#ip6tables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
	# reject the rest
	ip6tables --append INPUT --jump REJECT

	### outgoing
	ip6tables --append OUTPUT --jump ACCEPT

	echo "done!"