package/iptables/files/firewall6.conf

   1 #!/bin/sh
   2 echo "configure /etc/firewall6.conf first."
   3 exit 1
   4
   5 ### Interfaces
   6 WAN=sixxs
   7 LAN=br0
   8 WLAN=wlan0
   9
  10 ######################################################################
  11 ### Default ruleset
  12 ######################################################################
  13
  14 ### Create chains
  15 ip6tables -N input_rule
  16 ip6tables -N forwarding_rule
  17
  18 ### Default policy
  19 ip6tables -P INPUT DROP
  20 ip6tables -P FORWARD DROP
  21 ip6tables -P OUTPUT DROP
  22
  23 ### INPUT
  24 ###  (connections with the router as destination)
  25
  26 # base case
  27 ip6tables -A INPUT -m state --state INVALID -j DROP
  28 ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  29 ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
  30
  31 # custom rules
  32 ip6tables -A INPUT -j input_rule
  33
  34 # allow access from anything but WAN
  35 ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
  36 # allow icmp messages
  37 ip6tables -A INPUT -p icmp6 -j ACCEPT
  38
  39 # reject
  40 ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  41 ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
  42
  43 ### OUTPUT
  44 ###  (connections with the router as source)
  45
  46 # base case
  47 ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
  48 ip6tables -A OUTPUT -p icmp6 -j ACCEPT
  49
  50 ### FORWARD
  51 ###  (connections routed through the router)
  52
  53 # base case
  54 ip6tables -A FORWARD -m state --state INVALID -j DROP
  55 ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  56
  57 # fix for broken ISPs blocking ICMPv6 "packet too big" packets
  58 #ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  59
  60 # custom rules
  61 ip6tables -A FORWARD -j forwarding_rule
  62
  63 # allow LAN
  64 ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  65
  66 ######################################################################
  67 ### Default ruleset end
  68 ######################################################################
  69
  70 ###
  71 ### Connections to the router
  72 ###
  73
  74 # ssh
  75 #ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
  76
  77 # IPSec
  78 #ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
  79 #ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
  80
  81 # OpenVPN
  82 #ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
  83
  84 # PPTP
  85 #ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
  86 #ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
  87
  88 ###
  89 ###  VPN traffic
  90 ###
  91
  92 # IPSec
  93 #ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
  94 #ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT
  95
  96 # OpenVPN
  97 #ip6tables -A forwarding_rule -o tun+ -j ACCEPT
  98 #ip6tables -A forwarding_rule -i tun+ -j ACCEPT