IPv6 deployment:IPv6 firewall script

From LQWiki
Jump to navigation Jump to search

IPv6 firewall script

Note: this will display WIDE, because the long lines are not broken.

#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.8-3 
#
#  Generated Thu Apr 24 15:48:38 2003 PDT by root
#
#
#
#
check() {
  if test ! -x "$1"; then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

log() {
  if test -x "$LOGGER"; then
    logger -p info "$1"
  fi
}

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/ip6tables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
SYSCTL="/sbin/sysctl"

check $MODPROBE
check $IPTABLES
check $IP

cd /etc || exit 1

log "Activating firewall script generated Thu Apr 24 15:48:38 2003 PDT by root"

va_num=1


$SYSCTL -w net.IPv6.conf.all.forwarding=0

$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth3
$IP -4 addr flush dev eth3 label "eth3:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IP -4 neigh flush dev eth2
$IP -4 addr flush dev eth2 label "eth2:FWB*"


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/IPv6/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls | sed "s/\.o.*$//")`
for module in $(echo $MODULES); do 
  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then 
    $MODPROBE ${module} ||  exit 1
  fi
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(eth3)
# 
# Anti-spoofing rule
# 
$IPTABLES -N eth3_In_RULE_0
$IPTABLES -A INPUT  -i eth3  -s <my IPv6 address> -j eth3_In_RULE_0
$IPTABLES -A FORWARD  -i eth3  -s <my IPv6 address> -j eth3_In_RULE_0
$IPTABLES -A eth3_In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DROP "
$IPTABLES -A eth3_In_RULE_0 -j DROP
# 
# Rule 1(eth3)
# 
# Anti-spoofing rule
# 
$IPTABLES -N ptmp001
$IPTABLES -A OUTPUT  -o eth3 -j ptmp001
$IPTABLES -A FORWARD  -o eth3 -j ptmp001
$IPTABLES -A ptmp001  -o eth3  -s <my IPv6 address> -j RETURN
$IPTABLES -N eth3_Out_RULE_1_3
$IPTABLES -A ptmp001  -o eth3 -j eth3_Out_RULE_1_3
$IPTABLES -A eth3_Out_RULE_1_3  -j LOG  --log-level info --log-prefix "RULE 1 -- DROP "
$IPTABLES -A eth3_Out_RULE_1_3 -j DROP
# 
# Rule 0(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A FORWARD  -i lo -j ACCEPT
$IPTABLES -A OUTPUT  -o lo -j ACCEPT
$IPTABLES -A FORWARD  -o lo -j ACCEPT
# 
# Rule 1(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A FORWARD  -i lo -j ACCEPT
$IPTABLES -A OUTPUT  -o lo -j ACCEPT
$IPTABLES -A FORWARD  -o lo -j ACCEPT
# 
# Rule 1(global)
# 
# allow access from the firewall on certain ports
# 
$IPTABLES -A OUTPUT -p tcp  -m multiport  -d <my web server address>  --destination-port 80  -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp  -m multiport  -d <my web server address>  --destination-port 80  -m state --state NEW -j ACCEPT
# 
# Rule 7(global)
#
# 
# "catch all" rule
# 
$IPTABLES -N RULE_7
$IPTABLES -A OUTPUT -j RULE_7
$IPTABLES -A INPUT -j RULE_7
$IPTABLES -A FORWARD -j RULE_7
$IPTABLES -A RULE_7 -j LOG  --log-level info --log-prefix "RULE 7 -- DROP "
$IPTABLES -A RULE_7 -j DROP
#
#
$SYSCTL -w net.IPv6.conf.all.forwarding=1

Internal links

Main article: IPv6 deployment