Changes

Jump to navigation Jump to search
no edit summary
Line 69: Line 69:  
   # Allow ping of this host to aid debug - comment out if not required
 
   # Allow ping of this host to aid debug - comment out if not required
 
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
 
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
  # Filter ICMPv6 appropriately
   
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
   
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT
 
   -A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
 
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT
 
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type redirect -j DROP
+
   #
 
   # Allow router advertisements to support SLAAC address allocation
 
   # Allow router advertisements to support SLAAC address allocation
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
+
  # ensure hop-limit (hl) is 255
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
+
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement --match hl --hl-eq 255 -j ACCEPT
   # Allow neighbour adv/sol so we can talk to our neighbours (IPv6 ARP equivalent)
+
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation --match hl --hl-eq 255 -j ACCEPT
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
+
  #
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
+
   # Allow neighbour adv/sol so we can talk to our neighbouts (IPv6 ARP equivalent)
   # Drop router renumbering messages
+
  # ensure hop-limit (hl) is 255
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 138 -j DROP
+
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement --match hl --hl-eq 255 -j ACCEPT
   # Drop node information queries (139)
+
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation --match hl --hl-eq 255 -j ACCEPT
   -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 139 -j DROP
+
  #
 +
  # Allow inverse neighbour discovery solicitation (141) / advertisement (142)
 +
  # ensure hop-limit (hl) is 255
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 141 --match hl --hl-eq 255 -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 142 --match hl --hl-eq 255 -j ACCEPT
 +
  #
 +
  # Allow certificate path solicitation (148) / advertisement (149)
 +
  # ensure hop-limit (hl) is 255
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 148 --match hl --hl-eq 255 -j ACCEPT
 +
  -A ICMP6FLTR -p ipv6-icmp --icmpv6-type 149 --match hl --hl-eq 255 -j ACCEPT
 +
  ##
 +
  ## Allow ICMPv6 with link local addresses for multicast listener query (130), report (131), done (132) and report v2 (143)
 +
  ## Likely unused, but uncomment if required
 +
  #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 130 --source fe80::/10 -j ACCEPT
 +
  #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 131 --source fe80::/10 -j ACCEPT
 +
   #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 132 --source fe80::/10 -j ACCEPT
 +
   #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 143 --source fe80::/10 -j ACCEPT
 +
   ## Allow ICMPv6 with link local addresses and hop limit == 1 for multicast router advertisement (151), solicitation (152) and termination (153)
 +
   #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 151 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
 +
  #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 152 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
 +
  #-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 153 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
 +
  #
 
   # Drop everything else
 
   # Drop everything else
 
   -A ICMP6FLTR -j LOGIDROP
 
   -A ICMP6FLTR -j LOGIDROP
Line 99: Line 119:  
   -A INPUT -m rt --rt-type 1 -j LOGIDROP
 
   -A INPUT -m rt --rt-type 1 -j LOGIDROP
 
   -A INPUT -m rt --rt-type 2 -j LOGIDROP
 
   -A INPUT -m rt --rt-type 2 -j LOGIDROP
 +
  # Call ICMPv6 filter
 +
  -A INPUT -p ipv6-icmp -j ICMP6FLTR
 
   # Allow all traffic related to, or part of an established stream
 
   # Allow all traffic related to, or part of an established stream
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  # Call ICMPv6 filter
  −
  -A INPUT -p ipv6-icmp -j ICMP6FLTR
   
   # Allow SSH and HTTP traffic
 
   # Allow SSH and HTTP traffic
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
Line 108: Line 128:  
   # Drop, but log, everything else
 
   # Drop, but log, everything else
 
   -A INPUT -j LOGIDROP
 
   -A INPUT -j LOGIDROP
   COMMIT
+
   COMMIT
 
      
Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:
 
Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:

Navigation menu