Changes

Jump to navigation Jump to search
no edit summary
Line 62: Line 62:  
   :ICMP6FLTR - [0:0]
 
   :ICMP6FLTR - [0:0]
 
   :LOGIDROP - [0:0]
 
   :LOGIDROP - [0:0]
   -A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence
+
   -A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
 
   -A LOGIDROP -j DROP
 
   -A LOGIDROP -j DROP
 
   #
 
   #
Line 170: Line 170:  
   # rc.d save ip6tables
 
   # rc.d save ip6tables
   −
Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further additions for an internet facing machine.
+
Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further consideration for an internet facing machine.
    
   *filter
 
   *filter
Line 176: Line 176:  
   :FORWARD DROP [0:0]
 
   :FORWARD DROP [0:0]
 
   :OUTPUT ACCEPT [0:0]
 
   :OUTPUT ACCEPT [0:0]
 +
  :LOGI4DROP - [0:0]
 +
  -A LOGI4DROP -m limit --limit 10/m --limit-burst 5 -j LOG --log-prefix "IPV4_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
 +
  -A LOGI4DROP -j DROP
 
   # Allow all loopback traffic
 
   # Allow all loopback traffic
 
   -A INPUT -i lo -j ACCEPT
 
   -A INPUT -i lo -j ACCEPT
 
   # Allow all traffic related to, or part of an established session
 
   # Allow all traffic related to, or part of an established session
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   # Allow ping of this host to aid debug
+
   # Allow ping of this host to aid debug - comment out if not required
 
   -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
   -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
   # Allow SSH and HTTP traffic
 
   # Allow SSH and HTTP traffic
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
 
   -A INPUT -p tcp --dport 22 -j ACCEPT
 
   -A INPUT -p tcp --dport 80 -j ACCEPT
 
   -A INPUT -p tcp --dport 80 -j ACCEPT
  # Drop all other TCP traffic
  −
  -A INPUT -p tcp -j DROP
   
   # Allow DHCP related traffic
 
   # Allow DHCP related traffic
 
   -A INPUT -p udp --dport 67:68 -j ACCEPT
 
   -A INPUT -p udp --dport 67:68 -j ACCEPT
 
   # Drop everything else
 
   # Drop everything else
   -A INPUT -j DROP
+
   -A INPUT -j LOGI4DROP
 
   COMMIT
 
   COMMIT
 +
    
This time import can be performed using:
 
This time import can be performed using:

Navigation menu