Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: chrisf8657 on February 12, 2011, 02:27:19 AM

Title: Anyone have a ip6tables Firewall for DD-WRT?
Post by: chrisf8657 on February 12, 2011, 02:27:19 AM
Hello guys,

I'm not a Linux expert and have never used ip6tables, but I wanted to know if anyone has a good default ip6tables firewall script to secure my network - right now I'm using DD-WRT and a radvd script to create the Tunnel.

I have only 3 services I need open....8657, 8656 and 5555.

So, anyone out there that has a script?

Mucho gracias!
Title: Re: Anyone have a ip6tables Firewall for DD-WRT?
Post by: jabaep on October 28, 2011, 05:51:38 PM
Hi!. I know the post is an old one and I didn't search extensively in the forum, so if somebody came up with a better solution, no harm done. Below is what I'm using (pretty restrictive, yeah, not entirely "netiquette compatible") while testing around ipv6. Don't know if DD-WRT has the tool ip6tables-restore lying around, but if it has, just save this to a file called firewall.txt an do:
# ip6tables-restore <firewall.txt
Otherwise, call it firewall.sh, make it executable (chmod 700 firewall.sh), edit it (vi, joe, nano, pico any of those will do), delete the lines between *filter and :firewall, and add "ip6tables " before every line, and at the top:
           #!/bin/sh
           ip6tables -P INPUT DROP
           ip6tables -N firewall
$YOURIPV6ENDPOINT is not meant here to be a shell variable if you use the first procedure, but it's handy to add:
$YOURIPV6ENDPOINT=2001:db8::1/128 (or whatever)
as the very first line below the shell of choice.
I assume the use of the sit1 interface per the he.net instructions (worked without a hitch since the very first second)

################################################################################
# Generated by ip6tables-save v1.4.4 on Fri Oct 28 20:46:20 2011
*filter
# Policy set to DROP!!!
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:firewall - [0:0]

# Accept localhost
-A INPUT -s ::1/128 -i lo -j ACCEPT

# Allow any kind of ping on the /64 assigned to you
-A INPUT -s $YOURIPV6SUBNET/64 -i sit1 -p ipv6-icmp -j ACCEPT

# Allow he.net in :)
-A INPUT -s 2001:470:0:76::/64 -i sit1 -p ipv6-icmp -j ACCEPT

# Allow the site from where one of the files for the certification is grabbed
-A INPUT -s 2001:470:0:64::2/128 -d $YOURIPV6ENDPOINT/128 -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT

# ipv6-test.com site verification for ipv6-enabled webservers
-A INPUT -s 2001:41d0:1:d87c::db:1/128 -d $YOURIPV6ENDPOINT/128 -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT

# In reply to the case posted by chrisf8657
-A INPUT -d $YOURIPV6ENDPOINT/128 -i sit1 -p tcp -m tcp -m multiport --dports 5555,8656:8657 -j ACCEPT
# If you have some snag with the above one, just use:
-A INPUT -d $YOURIPV6ENDPOINT/128 -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 5555 -j ACCEPT
-A INPUT -d $YOURIPV6ENDPOINT/128 -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 8656:8657 -j ACCEPT

# DNS
-A INPUT -i sit1 -p udp -m udp --sport 53 -j ACCEPT

# FTP
-A INPUT -i sit1 -p tcp -m tcp --sport 20:21 --dport 1024:65535 -j ACCEPT

# rate-limited SSH. The chain below is set to FAIL every time because of the policy we set for INPUT, but don't worry,
# It's job is done. Look at /proc/net/xt_recent/SSH_OUTSIDE. Here, we allow only 2 connections/min, everyone else
# is dropped. Legit users won't notice any snag. Adjust per your needs.
-A INPUT -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW -m recent ! --set --name SSH_OUTSIDE --rsource
-A INPUT -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name SSH_OUTSIDE --rsource -j DROP
-A INPUT -i sit1 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT

# Telnet. Just for testing, not very many things out there offering something...
-A INPUT -i sit1 -p tcp -m tcp --sport 23 --dport 1024:65535 -j ACCEPT

# Grant access to the BOFH!!!
-A INPUT -i sit1 -p tcp -m tcp --sport 666 --dport 1024:65535 -j ACCEPT

# Allow web traffic
-A INPUT -i sit1 -p tcp -m tcp --sport 80 --dport 1024:65535 -j ACCEPT

# Same, other ports
-A INPUT -i sit1 -p tcp -m tcp --sport 8080 --dport 1024:65535 -j ACCEPT

# HTTPS
-A INPUT -i sit1 -p tcp -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
-A INPUT -i sit1 -p tcp -m tcp --sport 4443 --dport 1024:65535 -j ACCEPT

# The interface you serve your local network in. Adjust to your needs
-A INPUT -i eth0 -j ACCEPT

# We catch everything else with these
-A INPUT -p ipv6-icmp -j firewall
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j firewall
-A INPUT -p udp -j firewall

# If we're acting as a router for our LAN. Depends on other settings not discussed here
-A FORWARD -i eth0 -j ACCEPT

# We catch everything else with these
-A OUTPUT -p ipv6-icmp -j firewall
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j firewall
-A OUTPUT -p udp -j firewall

# We log everything within this parameters
-A firewall ! -i lo -p ipv6-icmp -j LOG --log-prefix "FWicmpv6: " --log-level 5
-A firewall -i sit1 -p tcp -m tcp ! --dport 1024:65535 -j LOG --log-prefix "FWtcpv6: " --log-level 0
-A firewall -i eth0 -o sit1 -p udp -m udp -j LOG --log-prefix "FWudpv6: " --log-level 5
COMMIT
# Completed on Fri Oct 28 20:46:20 2011