SixXS::Sunset 2017-06-06

Thoughts on a IPv6 firewall script?
[us] Shadow Hawkins on Thursday, 06 September 2007 20:41:55
I've been trying to come up with a good client-side firewall script for the Linux systems at work, and I finally found something that doesn't block stateless autoconfiguration. Should I prune this further, or tweak it any more? ---- #!/bin/sh # Add this file to the end of /etc/init.d/rc.local to use echo "1" >/proc/sys/net/ipv6/conf/all/forwarding #Flush & default ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT #Remove RH0 vulnerability ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP #Allow solicited node ip6tables -A INPUT -s ff02:0:0:0:0:1:ff00::/104 --jump ACCEPT ip6tables -A OUTPUT -s ff02:0:0:0:0:1:ff00::/104 --jump ACCEPT ip6tables -A FORWARD -s ff02:0:0:0:0:1:ff00::/104 --jump ACCEPT #Allow ICMP ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -j ACCEPT #Allow local access; reject outgoing telnet ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -p tcp --dport telnet --jump REJECT #Allow internal addresses ip6tables -A INPUT -s fe80::/10--jump ACCEPT ip6tables -A OUTPUT -s fe80::/10 --jump ACCEPT #Allow multicast ip6tables -A INPUT -s ff00::/8 --jump ACCEPT ip6tables -A OUTPUT -s ff00::/8 --jump ACCEPT #Allow VPN access ip6tables -A INPUT -s (/48 subnet) --jump ACCEPT ip6tables -A OUTPUT -s (/48 subnet) --jump ACCEPT #Disable privledged ports to the outside, except port 515 (LPD) ip6tables -A INPUT -p tcp --dport 1:514 --jump DROP ip6tables -A INPUT -p udp --dport 1:514 --jump DROP ip6tables -A INPUT -p tcp --dport 516:1024 --jump DROP ip6tables -A INPUT -p udp --dport 516:1024 --jump DROP #Disable other ports to the outside ip6tables -A INPUT -p tcp --dport 5900 --jump DROP#VNC
Further Thoughts on a IPv6 firewall script
[us] Shadow Hawkins on Tuesday, 11 September 2007 01:47:29
I have noticed that this script doesn't block stateless autoconfiguration, but does block route advertisements. I have yet to find a way to compensate for this outside of assigning a gateway manually or disabling the firewall.
Better script that actually does work with route advertisements
[us] Shadow Hawkins on Tuesday, 11 September 2007 02:28:40
I was turning on forwarding and forgetting that it nukes route advertisements on IPv6! |:( Anyway, here's a better script that I came up with. ----- #!/bin/sh # Add this file to the end of /etc/init.d/rc.local to use #Flush & default ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT #Enable the following lines only if a router! #Enabling IPv6 forwarding disables route-advertisement reception. #A static gateway will need to be assigned. # #echo "1" >/proc/sys/net/ipv6/conf/all/forwarding #ip6tables -A FORWARD -s ff00::/8 --jump ACCEPT #ip6tables -A FORWARD -s fe80::/10 --jump ACCEPT #ip6tables -A FORWARD -p icmpv6 -j ACCEPT # #End router forwarding rules #Remove RH0 vulnerability ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP #Allow ICMP ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT #Allow local access; reject outgoing telnet ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -p tcp --dport telnet --jump REJECT #Allow internal addresses ip6tables -A INPUT -s fe80::/10--jump ACCEPT ip6tables -A OUTPUT -s fe80::/10 --jump ACCEPT #Allow multicast ip6tables -A INPUT -s ff00::/8 --jump ACCEPT ip6tables -A OUTPUT -s ff00::/8 --jump ACCEPT #Allow Global subnet access (enable if required) #ip6tables -A INPUT -s (global /48) --jump ACCEPT #ip6tables -A OUTPUT -s (global /48) --jump ACCEPT #Allow VPN subnet access ip6tables -A INPUT -s (ULA /48) --jump ACCEPT ip6tables -A OUTPUT -s (ULA /48) --jump ACCEPT #Disable privledged ports to the outside, except port 515 (LPD) ip6tables -A INPUT -p tcp --dport 1:514 --jump DROP ip6tables -A INPUT -p udp --dport 1:514 --jump DROP ip6tables -A INPUT -p tcp --dport 516:1024 --jump DROP ip6tables -A INPUT -p udp --dport 516:1024 --jump DROP #Disable other ports to the outside ip6tables -A INPUT -p tcp --dport 5900 --jump DROP#VNC

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker