Last active
April 12, 2016 17:15
-
-
Save oko/ba552a0612a60a03f45f to your computer and use it in GitHub Desktop.
Revisions
-
oko revised this gist
Jan 1, 2015 . 2 changed files with 47 additions and 64 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,47 @@ *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [33:2996] :ICMP - [0:0] :TCP - [0:0] :UDP - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmpv6 -j ICMP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT # ICMPv6 per RFC 4890 # - Available --icmpv6-type arguments via `ip6tables -p ipv6-icmp -h` ### ICMP6 Error -A ICMP -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT ## ICMP6 Echo -A ICMP -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/sec -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/sec -j ACCEPT ## Other ICMPv6 -A ICMP -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT ## Link-Local Multicast -A ICMP -p icmpv6 --icmpv6-type 130 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 131 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 132 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 143 -m hl --hl-eq 255 -j ACCEPT ## SEND Cert Path Notification -A ICMP -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT ## Multicast Router Discovery -A ICMP -p icmpv6 --icmpv6-type 151 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 152 -m hl --hl-eq 255 -j ACCEPT -A ICMP -p icmpv6 --icmpv6-type 153 -m hl --hl-eq 255 -j ACCEPT -A ICMP -j DROP -A TCP -j REJECT --reject-with icmp6-port-unreachable -A UDP -j REJECT --reject-with icmp6-port-unreachable COMMIT This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,64 +0,0 @@ -
Dec 13, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,64 @@ #!/bin/sh IP6T="$(which ip6tables)" # Default Chain Policies $IP6T -P INPUT DROP $IP6T -P FORWARD DROP $IP6T -P OUTPUT ACCEPT # Create TCP, UDP, ICMP chains $IP6T -N TCP $IP6T -N UDP $IP6T -N ICMP # Allow related/established connections $IP6T -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow connections from loopback $IP6T -A INPUT -i lo -j ACCEPT # Send ICMP requests to ICMP chain $IP6T -A INPUT -p ipv6-icmp -j ICMP # Send TCP requests to TCP chain $IP6T -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP # Send UDP requests to UDP chain $IP6T -A INPUT -p udp -m conntrack --ctstate NEW -j UDP ######################################## # ICMP packet handling ######################################## # Allow ICMPv6 ECHO (ping req/resp) $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT # Other ICMP types $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IP6T -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT ######################################## # Open service ports ######################################## # SMTP ports #$IP6T -A TCP -p tcp -m tcp --dport 25 -j ACCEPT #$IP6T -A TCP -p tcp -m tcp --dport 465 -j ACCEPT #$IP6T -A TCP -p tcp -m tcp --dport 587 -j ACCEPT # IMAP ports #$IP6T -A TCP -p tcp -m tcp --dport 993 -j ACCEPT # DNS ports (TCP & UDP for zone AXFR) #$IP6T -A TCP -p tcp -m tcp --dport 53 -j ACCEPT #$IP6T -A UDP -p udp -m udp --dport 53 -j ACCEPT # HTTP ports (80/443 standard, 4443 for secure site) $IP6T -A TCP -p tcp -m tcp --dport 80 -j ACCEPT $IP6T -A TCP -p tcp -m tcp --dport 443 -j ACCEPT # SSH port $IP6T -A TCP -p tcp -m tcp --dport 22 -j ACCEPT # Drop non-accepted remnants from the chains $IP6T -A ICMP -j DROP $IP6T -A TCP -j REJECT $IP6T -A UDP -j REJECT ip6tables-save > /etc/ip6tables.rules