# Author # ====== # Chris Hills (chaz@chaz6.com) # # Current Version # =============== # v0.06 # # ChangeLog # ========= # # - Mon 22 Feb 2010 (v0.06) # - Permit icmpv6 echo request/reply for forwarded packets # - Fri 19 Feb 2010 (v0.05) # - Fix typo # - Thu 04 Feb 2010 (v0.04) # - Use sysctl instead of "echo 1>.." # - Sat 31 Oct 2009 (v0.03) # - Add fine-grained rules for icmpv6 types 3 and 4 # - Thu 09 Jul 2009 (v0.02) # - Added suggestion to block rt type 0 packets ######################################################################## # Start of firewall rules ######################################################################## # Set location of ip6tables IP6TABLES=/sbin/ip6tables # Set location of sysctl SYSCTL=/sbin/sysctl # Flush chains $IP6TABLES -F INPUT $IP6TABLES -F FORWARD $IP6TABLES -F OUTPUT $IP6TABLES -F # Set up default policies $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP $IP6TABLES -P OUTPUT DROP # Recommended, but unsupported on older kernels # $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP # $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP # $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP ######################################################################## # Rules for routing ######################################################################## # Allow forwarding of IPv6 packets $SYSCTL -w net.ipv6.conf.all.forwarding=1 # Allow packets from established connections $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # RFC 4890 for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 128 129 130 131 132 133 141 142 143 148 149 151 152 153 do $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type $icmptype -j ACCEPT done # Mobile prefix discovery for icmptype in 144 145 146 147 do $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type $icmptype -j ACCEPT done # Allow tcp, udp and sctp packets $IP6TABLES -A FORWARD -p tcp -j ACCEPT $IP6TABLES -A FORWARD -p udp -j ACCEPT $IP6TABLES -A FORWARD -p sctp -j ACCEPT ######################################################################## # Generic server rules ######################################################################## # Allow localhost traffic. This rule is for all protocols. $IP6TABLES -A INPUT -s ::1 -d ::1 -j ACCEPT # Allow but rate-limit echo request/reply $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT # Allow router advertisements on local network segments for icmptype in 133 134 135 136 137 do $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT done # Allow RFC 4890 but with rate-limiting for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 141 142 143 148 149 151 152 do ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT done # Mobile prefix discovery requests for icmptype in 144 146 do ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT done # Mobile prefix discovery replies for icmptype in 145 147 do ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT done # Log all other icmpv6 types $IP6TABLES -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6" # Allow outbound and related $IP6TABLES -A OUTPUT -p tcp -j ACCEPT $IP6TABLES -A OUTPUT -p udp -j ACCEPT $IP6TABLES -A OUTPUT -p sctp -j ACCEPT $IP6TABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A INPUT -p sctp -m state --state ESTABLISHED,RELATED -j ACCEPT