Here is a startup script for ip6tables:
#!/bin/sh
### BEGIN INIT INFO
# Provides: ip6tablesRules0001
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# X-Start-Before: kdm gdm xdm hal
# X-Stop-After: kdm gdm xdm hal
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: give ip6tables settings
# Description: you can add input, output and
# forward rules
### END INIT INFO
set -e
# Get lsb functions
. /lib/lsb/init-functions
#------------ ip6tables rules start --------------------
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --sport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 21 -j ACCEPT
ip6tables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
ip6tables -A OUTPUT -j ACCEPT
#------------ ip6tables rules end --------------------
Save this script as /etc/init.d/ip6tablesRules0001, e.g.
gedit /etc/init.d/ip6tablesRules0001
Make it executable:
chmod +x /etc/init.d/ip6tablesRules0001
Make it run at boot time:
cd /etc/init.d
update-rc.d ip6tablesRules0001 start 01 2 3 4 5 . stop 99 0 1 6 .
After restarting the computer,
ip6tables -L
should display the rules.
RSS
No comments:
Post a Comment