Sunday, May 27, 2012

ip6tables on Debian Linux

Both iptables and ip6tables can be used as firewalls.

Here is a startup script for ip6tables:

# Provides:          ip6tablesRules0001
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog

# X-Start-Before:    kdm gdm xdm hal
# X-Stop-After:      kdm gdm xdm hal
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: give ip6tables settings
# Description:       you can add input, output and
#                    forward rules

set -e

# Get lsb functions
. /lib/lsb/init-functions

#------------       ip6tables rules start --------------------
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'InvalidDrop '
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --sport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 21 -j ACCEPT
ip6tables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'OutAllow6/h '
ip6tables -A OUTPUT -j ACCEPT

#------------       ip6tables rules end --------------------

Save this script as /etc/init.d/ip6tablesRules0001, e.g.

gedit /etc/init.d/ip6tablesRules0001

Make it executable:

chmod +x /etc/init.d/ip6tablesRules0001

Make it run at boot time:

cd /etc/init.d

update-rc.d ip6tablesRules0001 start 01 2 3 4 5 . stop 99 0 1 6 .

After restarting the computer,

ip6tables -L

should display the rules.

No comments: