metalmajor
/
openadk
forked from oss/openadk


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
							#!/bin/sh
echo "configure /etc/firewall6.conf first."
exit 1

### Interfaces
WAN=sixxs
LAN=br0
WLAN=wlan0

######################################################################
### Default ruleset
######################################################################

### Create chains
ip6tables -N input_rule
ip6tables -N forwarding_rule

### Default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

### INPUT
###  (connections with the router as destination)

# base case
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP

# custom rules
ip6tables -A INPUT -j input_rule

# allow access from anything but WAN
ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
# allow icmp messages
ip6tables -A INPUT -p icmp6 -j ACCEPT

# reject
ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable

### OUTPUT
###  (connections with the router as source)

# base case
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
ip6tables -A OUTPUT -p icmp6 -j ACCEPT

### FORWARD
###  (connections routed through the router)

# base case
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# fix for broken ISPs blocking ICMPv6 "packet too big" packets
#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# custom rules
ip6tables -A FORWARD -j forwarding_rule

# allow LAN
ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT

######################################################################
### Default ruleset end
######################################################################

###
### Connections to the router
###

# ssh
#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT

# IPSec
#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT

# OpenVPN
#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT

# PPTP
#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT

###
###  VPN traffic
###

# IPSec
#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT

# OpenVPN
#ip6tables -A forwarding_rule -o tun+ -j ACCEPT
#ip6tables -A forwarding_rule -i tun+ -j ACCEPT