Line 69: |
Line 69: |
| # Allow ping of this host to aid debug - comment out if not required | | # Allow ping of this host to aid debug - comment out if not required |
| -A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT | | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT |
− | # Filter ICMPv6 appropriately
| |
| -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT | | -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT |
| -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT | | -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT |
| -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT | | -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
| |
| -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT | | -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT |
| -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT | | -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT |
| + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT |
| -A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT | | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type redirect -j DROP | + | # |
| # Allow router advertisements to support SLAAC address allocation | | # Allow router advertisements to support SLAAC address allocation |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT | + | # ensure hop-limit (hl) is 255 |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT | + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement --match hl --hl-eq 255 -j ACCEPT |
− | # Allow neighbour adv/sol so we can talk to our neighbours (IPv6 ARP equivalent) | + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation --match hl --hl-eq 255 -j ACCEPT |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT | + | # |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT | + | # Allow neighbour adv/sol so we can talk to our neighbouts (IPv6 ARP equivalent) |
− | # Drop router renumbering messages | + | # ensure hop-limit (hl) is 255 |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 138 -j DROP | + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement --match hl --hl-eq 255 -j ACCEPT |
− | # Drop node information queries (139) | + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation --match hl --hl-eq 255 -j ACCEPT |
− | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 139 -j DROP | + | # |
| + | # Allow inverse neighbour discovery solicitation (141) / advertisement (142) |
| + | # ensure hop-limit (hl) is 255 |
| + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 141 --match hl --hl-eq 255 -j ACCEPT |
| + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 142 --match hl --hl-eq 255 -j ACCEPT |
| + | # |
| + | # Allow certificate path solicitation (148) / advertisement (149) |
| + | # ensure hop-limit (hl) is 255 |
| + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 148 --match hl --hl-eq 255 -j ACCEPT |
| + | -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 149 --match hl --hl-eq 255 -j ACCEPT |
| + | ## |
| + | ## Allow ICMPv6 with link local addresses for multicast listener query (130), report (131), done (132) and report v2 (143) |
| + | ## Likely unused, but uncomment if required |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 130 --source fe80::/10 -j ACCEPT |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 131 --source fe80::/10 -j ACCEPT |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 132 --source fe80::/10 -j ACCEPT |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 143 --source fe80::/10 -j ACCEPT |
| + | ## Allow ICMPv6 with link local addresses and hop limit == 1 for multicast router advertisement (151), solicitation (152) and termination (153) |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 151 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 152 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT |
| + | #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 153 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT |
| + | # |
| # Drop everything else | | # Drop everything else |
| -A ICMP6FLTR -j LOGIDROP | | -A ICMP6FLTR -j LOGIDROP |
Line 99: |
Line 119: |
| -A INPUT -m rt --rt-type 1 -j LOGIDROP | | -A INPUT -m rt --rt-type 1 -j LOGIDROP |
| -A INPUT -m rt --rt-type 2 -j LOGIDROP | | -A INPUT -m rt --rt-type 2 -j LOGIDROP |
| + | # Call ICMPv6 filter |
| + | -A INPUT -p ipv6-icmp -j ICMP6FLTR |
| # Allow all traffic related to, or part of an established stream | | # Allow all traffic related to, or part of an established stream |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
− | # Call ICMPv6 filter
| |
− | -A INPUT -p ipv6-icmp -j ICMP6FLTR
| |
| # Allow SSH and HTTP traffic | | # Allow SSH and HTTP traffic |
| -A INPUT -p tcp --dport 22 -j ACCEPT | | -A INPUT -p tcp --dport 22 -j ACCEPT |
Line 108: |
Line 128: |
| # Drop, but log, everything else | | # Drop, but log, everything else |
| -A INPUT -j LOGIDROP | | -A INPUT -j LOGIDROP |
− | COMMIT | + | COMMIT |
− |
| |
| | | |
| Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using: | | Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using: |