Line 62: |
Line 62: |
| :ICMP6FLTR - [0:0] | | :ICMP6FLTR - [0:0] |
| :LOGIDROP - [0:0] | | :LOGIDROP - [0:0] |
− | -A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence | + | -A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence |
| -A LOGIDROP -j DROP | | -A LOGIDROP -j DROP |
| # | | # |
Line 170: |
Line 170: |
| # rc.d save ip6tables | | # rc.d save ip6tables |
| | | |
− | Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further additions for an internet facing machine. | + | Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further consideration for an internet facing machine. |
| | | |
| *filter | | *filter |
Line 176: |
Line 176: |
| :FORWARD DROP [0:0] | | :FORWARD DROP [0:0] |
| :OUTPUT ACCEPT [0:0] | | :OUTPUT ACCEPT [0:0] |
| + | :LOGI4DROP - [0:0] |
| + | -A LOGI4DROP -m limit --limit 10/m --limit-burst 5 -j LOG --log-prefix "IPV4_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence |
| + | -A LOGI4DROP -j DROP |
| # Allow all loopback traffic | | # Allow all loopback traffic |
| -A INPUT -i lo -j ACCEPT | | -A INPUT -i lo -j ACCEPT |
| # Allow all traffic related to, or part of an established session | | # Allow all traffic related to, or part of an established session |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
− | # Allow ping of this host to aid debug | + | # Allow ping of this host to aid debug - comment out if not required |
| -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
| # Allow SSH and HTTP traffic | | # Allow SSH and HTTP traffic |
| -A INPUT -p tcp --dport 22 -j ACCEPT | | -A INPUT -p tcp --dport 22 -j ACCEPT |
| -A INPUT -p tcp --dport 80 -j ACCEPT | | -A INPUT -p tcp --dport 80 -j ACCEPT |
− | # Drop all other TCP traffic
| |
− | -A INPUT -p tcp -j DROP
| |
| # Allow DHCP related traffic | | # Allow DHCP related traffic |
| -A INPUT -p udp --dport 67:68 -j ACCEPT | | -A INPUT -p udp --dport 67:68 -j ACCEPT |
| # Drop everything else | | # Drop everything else |
− | -A INPUT -j DROP | + | -A INPUT -j LOGI4DROP |
| COMMIT | | COMMIT |
| + | |
| | | |
| This time import can be performed using: | | This time import can be performed using: |