Changes

Jump to navigation Jump to search

Raspberry Pi IPv6 firewall tester installation (view source)

Revision as of 11:49, 23 September 2012

1,185 bytes added ,  11:49, 23 September 2012
no edit summary
Line 54: Line 54:  
   # pacman -S iptables
 
   # pacman -S iptables
   −
The following IPv6 firewall is a very simplistic example, only suitable for use in a trusted environment, where SLAAC IPv6 address allocation is in place. '''This example is not suitable for an internet-facing Raspberry Pi where you need to include extra packet checking related to traffic sources, ICMPv6 types, arrival rates, etc.'''
+
The following IPv6 firewall is a very simplistic example, only suitable for use in a trusted environment, where SLAAC IPv6 address allocation is in place. '''This example is not intended to be used for an internet-facing Raspberry Pi where you need to include extra packet checking related to traffic sources, ICMPv6 types, packet arrival rates, etc.'''
    
   *filter
 
   *filter
Line 60: Line 60:  
   :FORWARD DROP [0:0]
 
   :FORWARD DROP [0:0]
 
   :OUTPUT ACCEPT [0:0]
 
   :OUTPUT ACCEPT [0:0]
   :LOGINPUTDROP - [0:0]
+
   :ICMP6FLTR - [0:0]
   -A LOGINPUTDROP -m limit --limit 60/m --limit-burst 20 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence
+
  :LOGIDROP - [0:0]
   -A LOGINPUTDROP -j DROP
+
   -A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence
 +
   -A LOGIDROP -j DROP
 +
  #
 +
  # ICMPv6 filter chain
 +
  #
 +
  # Allow ping of this host to aid debug - comment out if not required
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
 +
  -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT
 +
  -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT
 +
  -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
 +
  -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT
 +
  -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type redirect -j DROP
 +
  # Allow router advertisements to support SLAAC address allocation
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
 +
  # Allow neighbour adv/sol so we can talk to our neighbouts (IPv6 ARP equivalent)
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
 +
  # Drop router renumbering messages
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 138 -j DROP
 +
  # Drop node information queries (139)
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 139 -j DROP
 +
  # Drop everything else
 +
  -A ICMP6FLTR -j LOGIDROP
 +
  #
 +
  # Main INPUT chain
 +
  #
 
   # Allow all loopback traffic
 
   # Allow all loopback traffic
 
   -A INPUT -i lo -j ACCEPT
 
   -A INPUT -i lo -j ACCEPT
   # Drop all routing header traffic
+
   # Drop all routing header traffic (change if supporting mobile IPv6)
   -A INPUT -m rt --rt-type 0 -j LOGINPUTDROP
+
   -A INPUT -m rt --rt-type 0 -j LOGIDROP
   -A INPUT -m rt --rt-type 1 -j LOGINPUTDROP
+
   -A INPUT -m rt --rt-type 1 -j LOGIDROP
   -A INPUT -m rt --rt-type 2 -j LOGINPUTDROP
+
   -A INPUT -m rt --rt-type 2 -j LOGIDROP
 
   # Allow all traffic related to, or part of an established stream
 
   # Allow all traffic related to, or part of an established stream
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   # Allow ping of this host to aid debug
+
   # Call ICMPv6 filter
   -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
+
   -A INPUT -p ipv6-icmp -j ICMP6FLTR
  # Allow Router advertisements so we can use SLAAC address allocation
  −
  -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
  −
  -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
  −
  # Allow neighbour adv/sol so we can talk to our neighbours (IPv6 ARP equivalent)
  −
  -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
  −
  -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
   
   # Allow SSH and HTTP traffic
 
   # Allow SSH and HTTP traffic
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
 
   -A INPUT -p tcp --dport 80 -j ACCEPT
 
   -A INPUT -p tcp --dport 80 -j ACCEPT
 
   # Drop, but log, everything else
 
   # Drop, but log, everything else
   -A INPUT -j LOGINPUTDROP
+
   -A INPUT -j LOGIDROP
 
   COMMIT
 
   COMMIT
 +
 
    
Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:
 
Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:
Retrieved from ‘https://wiki.chappell-family.com/wiki/index.php?title=Special:MobileDiff/174

Navigation menu