Last active
July 11, 2024 12:52
-
-
Save velizarn/9c5bd160fa19161a4a761865d400f522 to your computer and use it in GitHub Desktop.
Basic setup for ip6tables - drop all traffic except local, ICMP and DHCPv6 traffic.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # http://serverfault.com/questions/410321/debian-ip6tables-rules-setup-for-ipv6/410327#410327 | |
| # http://ipset.netfilter.org/iptables.man.html | |
| # https://www.sixxs.net/wiki/IPv6_Firewalling | |
| # https://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/ | |
| # https://gist.github.com/thomasfr/9712418 | |
| # https://gist.github.com/SnakeDrak/f4150f6e517e5a1d525f | |
| # http://www.thegeekstuff.com/2011/06/iptables-rules-examples | |
| # http://www.thegeekstuff.com/scripts/iptables-rules | |
| # http://serverfault.com/questions/702016/why-does-ip6tables-a-input-j-drop-blocks-outgoing-server-connections | |
| # | |
| # sudo systemctl stop ip6tables | |
| # sudo systemctl restart ip6tables | |
| # sudo service ip6tables status | |
| # sudo ip6tables -S | |
| # Test: curl -X GET http://www.google.com/ | |
| ip6tables -F | |
| # Set default chain policies | |
| ip6tables -P INPUT ACCEPT | |
| ip6tables -P FORWARD ACCEPT | |
| ip6tables -P OUTPUT ACCEPT | |
| # "IPv6 Routing Header Type 0 security issue" fix goes HERE! (http://natisbad.org/RH0/). It should appear before any other rules! | |
| # Note that modern kernels since 2.6.21.1 automatically drop this traffic and do not need these rules | |
| # How To Check the Kernel Version in Linux/Ubuntu/CentOS: uname -r | |
| # e.g. 3.10.0-327.36.3.el7.x86_64 | |
| # This accepts ongoing traffic for any existing connections that we've already accepted through other rule:. | |
| ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Accept all ICMP packets. Unlike with IPv4, it's not a good idea to block ICMPv6 traffic as IPv6 is much more heavily dependent on it: | |
| ip6tables -A INPUT -p ipv6-icmp -j ACCEPT | |
| # Accept all traffic from/to the local interface: | |
| ip6tables -A INPUT -i lo -j ACCEPT | |
| # Accept DHCPv6 traffic. If you use stateless autoconfiguration, or statically configure your machines, this is not necessary: | |
| ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT | |
| # ---------------------------------------------------------------------------------------- | |
| # Custom rules go here | |
| # | |
| # ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| # ---------------------------------------------------------------------------------------- | |
| # At the end of our rules, we reject all traffic that didn't match a rule, using "port unreachable". | |
| # This results in the standard "Connection refused" message at the other end, and effectively hides the fact that we have a firewall. | |
| # Tools such as nmap will report that all our ports are "closed" rather than "filtered" | |
| # and have a much more difficult time determining that we even have a firewall. | |
| ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
| ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited | |
| # ------------------------------------------------- | |
| # Save configuration changes | |
| ip6tables-save | sudo tee /etc/sysconfig/ip6tables | |
| # Restart ip6tables service | |
| systemctl restart ip6tables.service | |
| # List rules | |
| ip6tables -S | |
| # No iptables rules after reboot? | |
| # The issue has been solved after executing of following command and settings are taken into account after reboot: | |
| # > sudo systemctl enable iptables.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment