IPv6 deployment:IPv6 firewall script
Jump to navigation
Jump to search
IPv6 firewall script
Note: this will display WIDE, because the long lines are not broken.
#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v1.0.8-3 # # Generated Thu Apr 24 15:48:38 2003 PDT by root # # # # check() { if test ! -x "$1"; then echo "$1 not found or is not executable" exit 1 fi } log() { if test -x "$LOGGER"; then logger -p info "$1" fi } MODPROBE="/sbin/modprobe" IPTABLES="/sbin/ip6tables" IP="/sbin/ip" LOGGER="/usr/bin/logger" SYSCTL="/sbin/sysctl" check $MODPROBE check $IPTABLES check $IP cd /etc || exit 1 log "Activating firewall script generated Thu Apr 24 15:48:38 2003 PDT by root" va_num=1 $SYSCTL -w net.IPv6.conf.all.forwarding=0 $IP -4 neigh flush dev eth0 $IP -4 addr flush dev eth0 label "eth0:FWB*" $IP -4 neigh flush dev eth3 $IP -4 addr flush dev eth3 label "eth3:FWB*" $IP -4 neigh flush dev eth1 $IP -4 addr flush dev eth1 label "eth1:FWB*" $IP -4 neigh flush dev eth2 $IP -4 addr flush dev eth2 label "eth2:FWB*" $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP MODULE_DIR="/lib/modules/`uname -r`/kernel/net/IPv6/netfilter/" MODULES=`(cd $MODULE_DIR; ls | sed "s/\.o.*$//")` for module in $(echo $MODULES); do if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then $MODPROBE ${module} || exit 1 fi done $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Rule 0(eth3) # # Anti-spoofing rule # $IPTABLES -N eth3_In_RULE_0 $IPTABLES -A INPUT -i eth3 -s <my IPv6 address> -j eth3_In_RULE_0 $IPTABLES -A FORWARD -i eth3 -s <my IPv6 address> -j eth3_In_RULE_0 $IPTABLES -A eth3_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DROP " $IPTABLES -A eth3_In_RULE_0 -j DROP # # Rule 1(eth3) # # Anti-spoofing rule # $IPTABLES -N ptmp001 $IPTABLES -A OUTPUT -o eth3 -j ptmp001 $IPTABLES -A FORWARD -o eth3 -j ptmp001 $IPTABLES -A ptmp001 -o eth3 -s <my IPv6 address> -j RETURN $IPTABLES -N eth3_Out_RULE_1_3 $IPTABLES -A ptmp001 -o eth3 -j eth3_Out_RULE_1_3 $IPTABLES -A eth3_Out_RULE_1_3 -j LOG --log-level info --log-prefix "RULE 1 -- DROP " $IPTABLES -A eth3_Out_RULE_1_3 -j DROP # # Rule 0(lo) # # allow everything on loopback # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A FORWARD -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A FORWARD -o lo -j ACCEPT # # Rule 1(lo) # # allow everything on loopback # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A FORWARD -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A FORWARD -o lo -j ACCEPT # # Rule 1(global) # # allow access from the firewall on certain ports # $IPTABLES -A OUTPUT -p tcp -m multiport -d <my web server address> --destination-port 80 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport -d <my web server address> --destination-port 80 -m state --state NEW -j ACCEPT # # Rule 7(global) # # # "catch all" rule # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -j RULE_7 $IPTABLES -A INPUT -j RULE_7 $IPTABLES -A FORWARD -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DROP " $IPTABLES -A RULE_7 -j DROP # # $SYSCTL -w net.IPv6.conf.all.forwarding=1
Internal links
Main article: IPv6 deployment