579
edits
Changes
Jump to navigation
Jump to search
Line 62:
Line 62: − + Line 170:
Line 170: − + Line 176:
Line 176: + + + − + − # Drop all other TCP traffic − -A INPUT -p tcp -j DROP − + +
Raspberry Pi IPv6 firewall tester installation (view source)
Revision as of 14:25, 31 December 2012
, 14:25, 31 December 2012no edit summary
:ICMP6FLTR - [0:0]
:ICMP6FLTR - [0:0]
:LOGIDROP - [0:0]
:LOGIDROP - [0:0]
-A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOGIDROP -j DROP
-A LOGIDROP -j DROP
#
#
# rc.d save ip6tables
# rc.d save ip6tables
Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further additions for an internet facing machine.
Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further consideration for an internet facing machine.
*filter
*filter
:FORWARD DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGI4DROP - [0:0]
-A LOGI4DROP -m limit --limit 10/m --limit-burst 5 -j LOG --log-prefix "IPV4_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOGI4DROP -j DROP
# Allow all loopback traffic
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow all traffic related to, or part of an established session
# Allow all traffic related to, or part of an established session
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping of this host to aid debug
# Allow ping of this host to aid debug - comment out if not required
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow SSH and HTTP traffic
# Allow SSH and HTTP traffic
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow DHCP related traffic
# Allow DHCP related traffic
-A INPUT -p udp --dport 67:68 -j ACCEPT
-A INPUT -p udp --dport 67:68 -j ACCEPT
# Drop everything else
# Drop everything else
-A INPUT -j DROP
-A INPUT -j LOGI4DROP
COMMIT
COMMIT
This time import can be performed using:
This time import can be performed using: