Hello,
I want to fix a simple firewall to my IPv6 tunnel connection, so I wonder if this is script is enough ?
Will there be any problem with my tunnel. I really dont know if the public interface
should be my IPv4 interface (eth0) or my IPv6 tunnel interface "tunnelx".
#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="tunnelx"
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
############# add your custom rules below ############
### open IPv6 port 22
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT
############ End custome rules ################
#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP
Thanks in advanced!
Try it and see.
Is there any services listening on ipv6 that you're blocking access to?
lsof -i6 to see
#lsof -i6
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2378 root 4u IPv6 6374 TCP *:ssh (LISTEN)
smbd 2473 root 19u IPv6 6564 TCP *:microsoft-ds (LISTEN)
smbd 2473 root 20u IPv6 6566 TCP *:netbios-ssn (LISTEN)
When i run the firewall script i get those blocked by the online port scanner, so it seems to work ;)
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
Hmm now not able to connect to irc anymore when i running my new ip6tabels script.
15:10 -!- Irssi: Looking up ipv6.chat.freenode.net
15:10 -!- Irssi: Connecting to ipv6.chat.freenode.net [2001:1418:13:1::25] port 6667
15:10 -!- Irssi: Connection lost to ipv6.chat.freenode.net
15:10 -!- Irssi: Looking up irc.efnet.nl
15:10 -!- Irssi: Connecting to [2001:7b8:3:3f:201:2ff:fef6:574e] port 6667
But i can ping the both irc servers. And when i disable the ip6table script i can login.
Any idea whats wrong my script?
You're not allowing port(s) used by irc is my guess. You really should be referring to the man page for ip(6)tables while looking at your firewall script, that way you'll know what each line means, and does.
When you eventually open port 22 (ssh), it's best not to make it world-reachable. At least block the IP ranges assigned to continents other than the one that you're on.
As currently given, your firewall will allow locallly initiated sessions but not remote ones. Certain applications may require both.