Setting ip6tables custom script for IPv6

Posted Under:

Well, together with the whole new world provided by IPv6.
The NAT’s based firewall as in IPv4 is no longer valid..

As my friend put it .. “upside down and inside out”.

So, the I had opted to custom ip6tables rules for at least allowing only certain
service port over the IPv6. (imagining if can mount NFS shared from somewhere via android.. 😎 )

# This is to block all packet to ipv6 but 
# open ping and some port 
# Device setting
INT=eth0
IV6=sit+
# Define service Port here
SSH=22
HTTP=80
# Turn on/off here
OPEN_ICMP=1
OPEN_TCP=1
OPEN_SSH=0
OPEN_HTTP=1
# Standard lib
# Define the Library here
ipt=/sbin/ip6tables
echo "Starting IPv6 Firewall.."
# clearing
echo ".. Flushing old-tables"
$ipt -F
$ipt -X
# NOW let's drop everything off the IPv6
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
# ACCEPT forward ?
$ipt -P FORWARD DROP
# ALLOW our INTERNAL IPv6 forwarding to outworld
$ipt -A FORWARD -i $INT -j ACCEPT
$ipt -A FORWARD -i $IV6 -j ACCEPT
# or OPEN it anyway if above failed
#$ipt -A FORWARD -j ACCEPT
# Allow full outgoing but no incoming
# This suppose to allow connection tracking
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -i $IV6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ALLOW ping (ICMPv6)
# 
if [ $OPEN_ICMP == 1 ]; then
 echo ".. Allowing PING  request"
 $ipt -A INPUT -p ipv6-icmp -j ACCEPT
 $ipt -A OUTPUT -p ipv6-icmp -j ACCEPT
fi
# OPEN certain port
if [ $OPEN_TCP == 1 ]; then
 echo ".. Allowing TCP request"
 # SSH
 if [ $OPEN_SSH == 1 ]; then
  echo "...  SSH"
  $ipt -A INPUT -p tcp --dport $SSH -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $SSH ! --syn -j ACCEPT
 fi
 # HTTP
 if [ $OPEN_HTTP == 1 ]; then
  echo "...  HTTP"
  $ipt -A INPUT -p tcp --dport $HTTP -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $HTTP ! --syn -j ACCEPT
 fi
fi
# BLOCK incoming TCP connection request 
# didn't work someow..
#$ipt -I INPUT -p tcp --syn -j DROP 
#$ipt -I FORWARD -p tcp --syn -j DROP 
echo "Started IPv6 Firewall.."

the above can be added to /etc/arno-iptables-firewall/customs if you already had
arno-iptables-firewall installed on the system..

I think it could be possible improved later…

Tags ,

Related Post

4 Responses

  1. sateesh says:

    ocal Options hash (VER=V4): ‘3a33122d’
    192.168.0.238:4987 TLS: Initial packet from 192.168.0.238:4987, sid=c3af5dde a883362d
    : 192.168.0.238:4957 TLS Error: TLS handshake failed
    192.168.0.238:4957 SIGUSR1[soft,tls-error] received, client-instance restarting
    : MULTI: multi_create_instance called
    192.168.0.238:4988 Re-using SSL/TLS context
    192.168.0.238:4988 LZO compression initialized
    192.168.0.238:4988 Control Channel MTU parms [ L:1538 D:138 EF:38 EB:0 ET:0 EL:0 ]

    Reply
  2. sateesh says:

    please any one help on this

    ocal Options hash (VER=V4): ‘3a33122d’
    192.168.0.238:4987 TLS: Initial packet from 192.168.0.238:4987, sid=c3af5dde a883362d
    : 192.168.0.238:4957 TLS Error: TLS handshake failed
    192.168.0.238:4957 SIGUSR1[soft,tls-error] received, client-instance restarting
    : MULTI: multi_create_instance called
    192.168.0.238:4988 Re-using SSL/TLS context
    192.168.0.238:4988 LZO compression initialized
    192.168.0.238:4988 Control Channel MTU parms [ L:1538 D:138 EF:38 EB:0 ET:0 EL:0 ]

    Reply
    • namran says:

      check TLS auth setting at server. shall be only server side to auth.

      Reply
  3. Bestvpncanada.com says:

    Thank you for posting this awesome article. I search since a long time an answer
    to this subject and I have finally found it on your site.
    I subscribed to your blog and shared it on my Facebook.
    Thanks again for this great post!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *