Attachment 'ip6tables.conf.txt'

Download

   1 #!/bin/bash
   2 # 
   3 # IPv6 firewall script for Linux 2.6 with IPv6 connection tracking enabled.
   4 # Based on Best Current Practice for Filtering ICMPv6 Messages in Firewalls
   5 # (draft-ietf-v6ops-icmpv6-filtering-bcp-01.txt)
   6 #
   7 # set -x 
   8 
   9 # Set of prefixes on the trusted ("inner") side of the firewall
  10 export INNER_PREFIXES="2001:DB8:85::/60"
  11 # Set of prefixes on the untrusted ("outer") side of the firewall
  12 export OUTER_PREFIXES="2001:DB8:86::/60"
  13 
  14 # Services provided from the inner side:
  15 # Service name must be either PING, DOMAIN 
  16 # or a TCP-based service name from /etc/services.
  17 export SERVICES="PING SSH HTTP DOMAIN"
  18 # Set of hosts providing the given services
  19 export SERVICE_PING="2001:DB8:85::/64"
  20 export SERVICE_SSH="2001:DB8:85::1/64"
  21 export SERVICE_HTTP="2001:DB8:85::1/64"
  22 export SERVICE_DOMAIN="2001:DB8:85::1/64"
  23 
  24 # Services provided from the firewall itself
  25 # Service name must be either PING
  26 # or a TCP-based service name from /etc/services.
  27 export LOCAL_SERVICES="PING SSH"
  28 # Set of hosts for which the services are allowed from the firewall itself
  29 export LOCAL_SERVICE_PING="2001:DB8:85::1/64"
  30 export LOCAL_SERVICE_SSH="2001:DB8:85::1/64"
  31 
  32 # Configuration option: Change this to 1 if the site support
  33 # Mobile IPv6 Home Agents
  34 export HOME_AGENTS_PRESENT=1
  35 # Configuration option: Change this to 1 if the site support
  36 # Mobile IPv6 mobile nodes being present on the site
  37 export MOBILE_NODES_PRESENT=1
  38 
  39 # The ip6tables command
  40 ip6tables=ip6tables
  41 
  42 # Create logging chains in order to record every
  43 # accepted session and denied packet
  44 for type in accept drop
  45 do
  46 	target=`echo $type | tr [a-z] [A-Z]`
  47 	$ip6tables -N $type
  48 	$ip6tables -A $type -j LOG --log-prefix "${target}: "
  49 	$ip6tables -A $type -j $target
  50 done
  51 
  52 # Create a chain to accept the selected list of ICMPv6 reply 
  53 # packets only (established or related)
  54 $ip6tables -N icmpv6-state
  55 
  56 # List all accepted ICMPv6 error type/code
  57 export ACCEPT_ICMPV6_TYPE=""
  58 # Allow destination unreachable messages
  59 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE destination-unreachable"
  60 # Allow Packet Too Big messages
  61 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE packet-too-big"
  62 # Allow time exceeded code 0 and 1 messages
  63 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE ttl-zero-during-transit"
  64 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE ttl-zero-during-reassembly"
  65 # Allow parameter problem code 1 and 2 messages
  66 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE unknown-header-type"
  67 ACCEPT_ICMPV6_TYPE="$ACCEPT_ICMPV6_TYPE unknown-option"
  68 
  69 # Established: allow ICMPv6 echo reply packets
  70 $ip6tables -A icmpv6-state -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
  71 
  72 # Related: allow the selected list of ICMPv6 packets related to 
  73 # existing traffic
  74 for icmpv6_type in $ACCEPT_ICMPV6_TYPE
  75 do
  76 	$ip6tables -A icmpv6-state -p icmpv6 --icmpv6-type $icmpv6_type -j ACCEPT
  77 done
  78 
  79 # Deny anything else as established,related ICMPv6 packet
  80 $ip6tables -A icmpv6-state -j drop
  81 
  82 #
  83 # Forwarded traffic between the Internet and the inner side
  84 #
  85 
  86 # Allow reply packets and packets related to existing connections
  87 $ip6tables -A FORWARD -p icmpv6 -m state --state ESTABLISHED,RELATED \
  88 	-j icmpv6-state
  89 $ip6tables -A FORWARD -p ! icmpv6 -m state --state ESTABLISHED,RELATED \
  90 	-j ACCEPT
  91 	
  92 # Drop INVALID packets, so NEW packets remain only
  93 $ip6tables -A FORWARD -m state --state INVALID -j drop
  94 
  95 # Allow outbound requests from prefixes which belong to the site
  96 for inner_prefix in $INNER_PREFIXES
  97 do
  98   $ip6tables -A FORWARD -s $inner_prefix -j accept
  99 done
 100 
 101 # Split incoming requests into protocol-dependent sub-chains
 102 
 103 # Allow inbound protocol requests towards only the predetermined hosts
 104 for service in $SERVICES
 105 do
 106 	proto=`echo $service | tr [A-Z] [a-z]`
 107 	$ip6tables -N $proto
 108 	case $proto in
 109 	domain)
 110 		$ip6tables -A FORWARD -p tcp --dport domain -j domain
 111 		$ip6tables -A FORWARD -p udp --dport domain -j domain
 112 		;;
 113 	ping)
 114 		$ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j $proto
 115 		;;
 116 	*)
 117 		$ip6tables -A FORWARD -p tcp --dport $proto -j $proto
 118 		;;
 119 	esac		
 120 	eval hosts="\$SERVICE_$service"
 121 	for host in $hosts
 122 	do
 123 		$ip6tables -A $proto -d $host -j accept
 124 	done
 125 done
 126 
 127 # If there are mobile ipv6 home agents present on the
 128 # trusted side allow
 129 if [ "$HOME_AGENTS_PRESENT" -eq "1" ]
 130 then
 131   for inner_prefix in $INNER_PREFIXES
 132   do
 133  	# 144: incoming Home Agent address discovery request
 134  	# 145: outgoing Home Agent address discovery reply
 135  	# 146: incoming Mobile prefix solicitation
 136  	# 147: outgoing Mobile prefix advertisement
 137  	for type in 144 146
 138  	do
 139  		$ip6tables -A FORWARD -p icmpv6 --icmpv6-type $type \
 140  			-d $inner_prefix -j ACCEPT
 141  	done
 142  	for type in 145 147
 143  	do
 144  		$ip6tables -A FORWARD -p icmpv6 --icmpv6-type $type \
 145  			-s $inner_prefix -j ACCEPT
 146  	done
 147  done
 148 fi
 149 
 150 # If there are roaming mobile nodes present on the
 151 # trusted side allow
 152 if [ "$MOBILE_NODES_PRESENT" -eq "1" ]
 153 then
 154   for inner_prefix in $INNER_PREFIXES
 155   do
 156  	# 144: incoming Home Agent address discovery request
 157  	# 145: outgoing Home Agent address discovery reply
 158  	# 146: incoming Mobile prefix solicitation
 159  	# 147: outgoing Mobile prefix advertisement
 160  	for type in 144 146
 161  	do
 162  		$ip6tables -A FORWARD -p icmpv6 --icmpv6-type $type \
 163  			-s $inner_prefix -j ACCEPT
 164  	done
 165  	for type in 145 147
 166  	do
 167  		$ip6tables -A FORWARD -p icmpv6 --icmpv6-type $type \
 168  			-d $inner_prefix -j ACCEPT
 169  	done
 170  done
 171 fi
 172 
 173 # DROP EVERYTHING ELSE
 174 $ip6tables -A FORWARD -j drop
 175 
 176 #
 177 # Traffic to and from the firewall itself
 178 #
 179 
 180 # Allow outbound traffic
 181 $ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 182 $ip6tables -A OUTPUT -m state --state NEW -j accept
 183 $ip6tables -A OUTPUT -j drop
 184 
 185 # Basic loopback and localhost communication
 186 $ip6tables -A INPUT -i lo -j ACCEPT
 187 $ip6tables -A INPUT -s ::1 -j ACCEPT
 188 $ip6tables -A INPUT -d ::1 -j ACCEPT
 189 
 190 # Neighbour discovery:
 191 # DAD
 192 $ip6tables -A INPUT -p icmpv6 -d ff02::/16 -j ACCEPT
 193 # RS, RA, NS, NA, redirect...
 194 $ip6tables -A INPUT -p icmpv6 -s fe80::/10 -d fe80::/10 -j ACCEPT
 195 
 196 # Allow any link-local multicast traffic
 197 $ip6tables -A INPUT -s fe80::/10 -d ff02::/16 -j ACCEPT
 198 for prefix in $INNER_PREFIXES $OUTER_PREFIXES
 199 do
 200 	$ip6tables -A INPUT -s $prefix -d ff02::/16 -j ACCEPT
 201 done                 
 202 
 203 # Allow reply packets and packets related to existing connections
 204 $ip6tables -A INPUT -p icmpv6 -m state --state ESTABLISHED,RELATED \
 205 	-j icmpv6-state
 206 $ip6tables -A INPUT -p ! icmpv6 -m state --state ESTABLISHED,RELATED \
 207 	-j ACCEPT
 208 
 209 # Drop INVALID packets, so NEW packets remain only
 210 $ip6tables -A INPUT -m state --state INVALID -j drop
 211 
 212 # Allow inbound protocol requests from the predetermined hosts only
 213 for service in $LOCAL_SERVICES
 214 do
 215 	proto=`echo $service | tr [A-Z] [a-z]`
 216 	case $proto in
 217 	ping)
 218 		eval hosts="\$SERVICE_$service"
 219 		for host in $hosts
 220 		do
 221 			$ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request \
 222 				-s $host -j accept
 223 		done
 224 		;;
 225 	*)
 226 		eval hosts="\$SERVICE_$service"
 227 		for host in $hosts
 228 		do
 229 			$ip6tables -A INPUT -p tcp --dport $proto \
 230 				-s $host -j accept
 231 		done
 232 		;;
 233 	esac		
 234 done
 235 
 236 # DROP EVERYTHING ELSE
 237 $ip6tables -A INPUT -j drop

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2006-08-18 08:50:22, 401.0 KB) [[attachment:6net_ipv6security.pdf]]
  • [get | view] (2006-08-18 15:11:33, 172.7 KB) [[attachment:IDS-and-IPv6.pdf]]
  • [get | view] (2006-08-21 14:23:53, 2.0 KB) [[attachment:ip6fw_client.conf.txt]]
  • [get | view] (2006-08-21 14:24:14, 4.9 KB) [[attachment:ip6fw_simple.conf.txt]]
  • [get | view] (2006-09-06 09:36:04, 6.9 KB) [[attachment:ip6tables.conf.txt]]
  • [get | view] (2006-08-21 11:21:57, 190.2 KB) [[attachment:ipv6_ciscoacl.pdf]]
  • [get | view] (2006-08-21 11:22:16, 182.5 KB) [[attachment:ipv6_ciscoacl_cisco.pdf]]
  • [get | view] (2006-08-21 10:51:13, 93.6 KB) [[attachment:ipv6_ip6fw.pdf]]
  • [get | view] (2006-08-21 10:16:25, 504.4 KB) [[attachment:ipv6_pf.pdf]]
  • [get | view] (2006-08-21 11:48:01, 250.2 KB) [[attachment:ipv6_windowsxp_firewall.pdf]]
  • [get | view] (2006-08-18 15:56:19, 0.7 KB) [[attachment:pf_boot_client.conf.txt]]
  • [get | view] (2006-08-21 10:38:01, 0.8 KB) [[attachment:pf_simple_client.conf.txt]]
  • [get | view] (2006-09-12 13:40:08, 2.7 KB) [[attachment:pf_simple_firewall_http_ssh_server.conf.txt]]
  • [get | view] (2006-09-12 13:36:25, 1.8 KB) [[attachment:pf_simple_firewall_noserver.conf.txt]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.