Categories: Network

Setting ip6tables custom script for IPv6

Well, together with the whole new world provided by IPv6.
The NAT’s based firewall as in IPv4 is no longer valid..

As my friend put it .. “upside down and inside out”.

So, the I had opted to custom ip6tables rules for at least allowing only certain
service port over the IPv6. (imagining if can mount NFS shared from somewhere via android.. 8-) )

# This is to block all packet to ipv6 but 
# open ping and some port 
# Device setting
INT=eth0
IV6=sit+
# Define service Port here
SSH=22
HTTP=80
# Turn on/off here
OPEN_ICMP=1
OPEN_TCP=1
OPEN_SSH=0
OPEN_HTTP=1
# Standard lib
# Define the Library here
ipt=/sbin/ip6tables
echo "Starting IPv6 Firewall.."
# clearing
echo ".. Flushing old-tables"
$ipt -F
$ipt -X
# NOW let's drop everything off the IPv6
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
# ACCEPT forward ?
$ipt -P FORWARD DROP
# ALLOW our INTERNAL IPv6 forwarding to outworld
$ipt -A FORWARD -i $INT -j ACCEPT
$ipt -A FORWARD -i $IV6 -j ACCEPT
# or OPEN it anyway if above failed
#$ipt -A FORWARD -j ACCEPT
# Allow full outgoing but no incoming
# This suppose to allow connection tracking
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -i $IV6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ALLOW ping (ICMPv6)
# 
if [ $OPEN_ICMP == 1 ]; then
 echo ".. Allowing PING  request"
 $ipt -A INPUT -p ipv6-icmp -j ACCEPT
 $ipt -A OUTPUT -p ipv6-icmp -j ACCEPT
fi
# OPEN certain port
if [ $OPEN_TCP == 1 ]; then
 echo ".. Allowing TCP request"
 # SSH
 if [ $OPEN_SSH == 1 ]; then
  echo "...  SSH"
  $ipt -A INPUT -p tcp --dport $SSH -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $SSH ! --syn -j ACCEPT
 fi
 # HTTP
 if [ $OPEN_HTTP == 1 ]; then
  echo "...  HTTP"
  $ipt -A INPUT -p tcp --dport $HTTP -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $HTTP ! --syn -j ACCEPT
 fi
fi
# BLOCK incoming TCP connection request 
# didn't work someow..
#$ipt -I INPUT -p tcp --syn -j DROP 
#$ipt -I FORWARD -p tcp --syn -j DROP 
echo "Started IPv6 Firewall.."

the above can be added to /etc/arno-iptables-firewall/customs if you already had
arno-iptables-firewall installed on the system..

I think it could be possible improved later…

Related posts:

  1. Setting up IPv6 network via TM Unifi on CentOS 5
  2. First attempt with ipv6 at home network
  3. Adding IPv6 capabilities to Windows XP network interface
  4. How to become gateway using a linux OS
Namran Hussin

a soft spoken guy... with exceptional interest in computers and technology. I love to learn new thing and also love to break thing for the sake of learning.. but I do abide to the self-imposed limitation or certain thing such as social thing in life, thing can be done and thing that must be avoided at whatever cost such as drug,illegal tracking, smoke,illicit activity..etc.muahahaha let's share what we had in this short term of the life.! make it worth of the living.~

Leave a Comment
Share
Published by
Namran Hussin
Tags: firewallipv6
15 years ago

Recent Posts

How you can speak with clarity and influence

Here are five key communication skills that help you speak with clarity and influence: Speak…

7 months ago

? Man360 Academy Q&A Session Video Access – Empower Your Masculine Growth Journey

Are you ready to unlock your full potential as a man?Discover powerful insights, real-life transformations,…

1 year ago

A note to remember

One day we will set aside one whole day to review the whole lesson we…

1 year ago

Dev Fest KL 2024

Last weekend, 07/12/2024 I managed to join Dev Fest Kuala Lumpur 2024, organized by Google…

1 year ago

TIPS BACAAN AL-QURAN

TIPS BACAAN AL-QURANOleh: Dr. Muhd al-Muhaysni.1. Jangan engkau berikan (fokus membaca) al-Quran pada lebihan waktumu…

2 years ago

Selawat 300 ribu kali

Selawat yang ringkas, yang mana apabila kamu membacanya satu kali sebanding 100 ribu kali, jadi…

2 years ago