Loading ipt-nat_core.v6 0 → 100644 +82 −0 Original line number Diff line number Diff line #!/bin/bash -- # /usr/local/sbin/fw-mbl_core.v6 # miphix@insomnia247.nl # tested with: iptables v1.6.0 # Purpose: To bring up a robust firewall at bootup. # 'Cleanup and reset' # 'User Chains' /sbin/ip6tables -N TCP /sbin/ip6tables -N UDP # 'Defaulting' /sbin/ip6tables -P FORWARD DROP /sbin/ip6tables -P OUTPUT DROP /sbin/ip6tables -P INPUT DROP # 'INPUT' /sbin/ip6tables -A INPUT -i lo -j ACCEPT /sbin/ip6tables -A INPUT ! -i lo -s ::1 -j DROP /sbin/ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP # -- NEW -- /sbin/ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT # .` TCP `. /sbin/ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP /sbin/ip6tables -I INPUT -p tcp -m recent --update --rsource --seconds 60 \ --name TCP-PSCAN -j DROP # `. UDP .` /sbin/ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP # -- ! NEW -- /sbin/ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 22 -j ACCEPT #/sbin/ip6tables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED \ # --sport 53 -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 80 -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 443 -j ACCEPT # 'OUTPUT' /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT /sbin/ip6tables -A OUTPUT ! -o lo -d ::1 -j DROP /sbin/ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 22 -j ACCEPT #/sbin/ip6tables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED \ # --dport 53 -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 80 -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 443 -j ACCEPT # 'FORWARD' # 'PREROUTING' /sbin/ip6tables -t raw -I PREROUTING -m rpfilter --invert -j ACCEPT /sbin/ip6tables -t raw -I PREROUTING -j DROP # 'LOG' /sbin/ip6tables -A FORWARD -m limit --limit 3/min -j LOG --log-prefix \ "ipt_FORWARD_denied: " --log-level 4 /sbin/ip6tables -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix \ "ipt_OUTPUT_denied: " --log-level 4 /sbin/ip6tables -A INPUT -m limit --limit 3/min -j LOG --log-prefix \ "ipt_INPUT_denied: " --log-level 4 # 'Terminate' /sbin/ip6tables -A INPUT -p tcp -m recent --set --rsource --name TCP-PSCAN \ -j DROP /sbin/ip6tables -A INPUT -p udp -m recent --set --rsource --name UDP-PSCAN \ -j DROP No newline at end of file Loading
ipt-nat_core.v6 0 → 100644 +82 −0 Original line number Diff line number Diff line #!/bin/bash -- # /usr/local/sbin/fw-mbl_core.v6 # miphix@insomnia247.nl # tested with: iptables v1.6.0 # Purpose: To bring up a robust firewall at bootup. # 'Cleanup and reset' # 'User Chains' /sbin/ip6tables -N TCP /sbin/ip6tables -N UDP # 'Defaulting' /sbin/ip6tables -P FORWARD DROP /sbin/ip6tables -P OUTPUT DROP /sbin/ip6tables -P INPUT DROP # 'INPUT' /sbin/ip6tables -A INPUT -i lo -j ACCEPT /sbin/ip6tables -A INPUT ! -i lo -s ::1 -j DROP /sbin/ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP # -- NEW -- /sbin/ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT # .` TCP `. /sbin/ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP /sbin/ip6tables -I INPUT -p tcp -m recent --update --rsource --seconds 60 \ --name TCP-PSCAN -j DROP # `. UDP .` /sbin/ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP # -- ! NEW -- /sbin/ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 22 -j ACCEPT #/sbin/ip6tables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED \ # --sport 53 -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 80 -j ACCEPT /sbin/ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED \ --sport 443 -j ACCEPT # 'OUTPUT' /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT /sbin/ip6tables -A OUTPUT ! -o lo -d ::1 -j DROP /sbin/ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 22 -j ACCEPT #/sbin/ip6tables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED \ # --dport 53 -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 80 -j ACCEPT /sbin/ip6tables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED \ --dport 443 -j ACCEPT # 'FORWARD' # 'PREROUTING' /sbin/ip6tables -t raw -I PREROUTING -m rpfilter --invert -j ACCEPT /sbin/ip6tables -t raw -I PREROUTING -j DROP # 'LOG' /sbin/ip6tables -A FORWARD -m limit --limit 3/min -j LOG --log-prefix \ "ipt_FORWARD_denied: " --log-level 4 /sbin/ip6tables -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix \ "ipt_OUTPUT_denied: " --log-level 4 /sbin/ip6tables -A INPUT -m limit --limit 3/min -j LOG --log-prefix \ "ipt_INPUT_denied: " --log-level 4 # 'Terminate' /sbin/ip6tables -A INPUT -p tcp -m recent --set --rsource --name TCP-PSCAN \ -j DROP /sbin/ip6tables -A INPUT -p udp -m recent --set --rsource --name UDP-PSCAN \ -j DROP No newline at end of file
