X
    Categories: Network

Setting ip6tables custom script for IPv6

Well, together with the whole new world provided by IPv6.
The NAT’s based firewall as in IPv4 is no longer valid..

As my friend put it .. “upside down and inside out”.

So, the I had opted to custom ip6tables rules for at least allowing only certain
service port over the IPv6. (imagining if can mount NFS shared from somewhere via android.. 8-) )

# This is to block all packet to ipv6 but 
# open ping and some port 
# Device setting
INT=eth0
IV6=sit+
# Define service Port here
SSH=22
HTTP=80
# Turn on/off here
OPEN_ICMP=1
OPEN_TCP=1
OPEN_SSH=0
OPEN_HTTP=1
# Standard lib
# Define the Library here
ipt=/sbin/ip6tables
echo "Starting IPv6 Firewall.."
# clearing
echo ".. Flushing old-tables"
$ipt -F
$ipt -X
# NOW let's drop everything off the IPv6
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
# ACCEPT forward ?
$ipt -P FORWARD DROP
# ALLOW our INTERNAL IPv6 forwarding to outworld
$ipt -A FORWARD -i $INT -j ACCEPT
$ipt -A FORWARD -i $IV6 -j ACCEPT
# or OPEN it anyway if above failed
#$ipt -A FORWARD -j ACCEPT
# Allow full outgoing but no incoming
# This suppose to allow connection tracking
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -i $IV6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ALLOW ping (ICMPv6)
# 
if [ $OPEN_ICMP == 1 ]; then
 echo ".. Allowing PING  request"
 $ipt -A INPUT -p ipv6-icmp -j ACCEPT
 $ipt -A OUTPUT -p ipv6-icmp -j ACCEPT
fi
# OPEN certain port
if [ $OPEN_TCP == 1 ]; then
 echo ".. Allowing TCP request"
 # SSH
 if [ $OPEN_SSH == 1 ]; then
  echo "...  SSH"
  $ipt -A INPUT -p tcp --dport $SSH -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $SSH ! --syn -j ACCEPT
 fi
 # HTTP
 if [ $OPEN_HTTP == 1 ]; then
  echo "...  HTTP"
  $ipt -A INPUT -p tcp --dport $HTTP -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $HTTP ! --syn -j ACCEPT
 fi
fi
# BLOCK incoming TCP connection request 
# didn't work someow..
#$ipt -I INPUT -p tcp --syn -j DROP 
#$ipt -I FORWARD -p tcp --syn -j DROP 
echo "Started IPv6 Firewall.."

the above can be added to /etc/arno-iptables-firewall/customs if you already had
arno-iptables-firewall installed on the system..

I think it could be possible improved later…

Namran Hussin: a soft spoken guy... with exceptional interest in computers and technology. I love to learn new thing and also love to break thing for the sake of learning.. but I do abide to the self-imposed limitation or certain thing such as social thing in life, thing can be done and thing that must be avoided at whatever cost such as drug,illegal tracking, smoke,illicit activity..etc.muahahaha let's share what we had in this short term of the life.! make it worth of the living.~
Related Post
Leave a Comment