• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

ip6tables firewall script

Started by phuss, April 03, 2009, 03:29:35 PM

Previous topic - Next topic

phuss

Hello,
I want to fix a simple firewall to my IPv6 tunnel connection, so I wonder if this is script is enough ?
Will there be any problem with my tunnel. I really dont know if the public interface
should be my IPv4 interface (eth0) or my IPv6 tunnel interface "tunnelx".


#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="tunnelx"

$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X

#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP

# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

############# add your custom rules below ############
### open IPv6  port 22
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT

############ End custome rules ################

#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP




Thanks in advanced!


kriteknetworks

Try it and see.

Is there any services listening on ipv6 that you're blocking access to?

lsof -i6 to see

phuss

#lsof -i6
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd    2378 root    4u  IPv6   6374       TCP *:ssh (LISTEN)
smbd    2473 root   19u  IPv6   6564       TCP *:microsoft-ds (LISTEN)
smbd    2473 root   20u  IPv6   6566       TCP *:netbios-ssn (LISTEN)


When i run the firewall script i get those blocked by the online port scanner, so it seems to work ;)
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

phuss

Hmm now not able to connect to irc anymore when i running my new ip6tabels script.

15:10 -!- Irssi: Looking up ipv6.chat.freenode.net
15:10 -!- Irssi: Connecting to ipv6.chat.freenode.net [2001:1418:13:1::25] port 6667
15:10 -!- Irssi: Connection lost to ipv6.chat.freenode.net
15:10 -!- Irssi: Looking up irc.efnet.nl
15:10 -!- Irssi: Connecting to  [2001:7b8:3:3f:201:2ff:fef6:574e] port 6667


But i can ping the both irc servers. And when i disable the ip6table script i can login.

Any idea whats wrong my script?



kriteknetworks

You're not allowing port(s) used by irc is my guess. You really should be referring to the man page for ip(6)tables while looking at your firewall script, that way you'll know what each line means, and does.

snarked

When you eventually open port 22 (ssh), it's best not to make it world-reachable.  At least block the IP ranges assigned to continents other than the one that you're on.

As currently given, your firewall will allow locallly initiated sessions but not remote ones.  Certain applications may require both.