Home Explore Help
Sign In
oss
/
openadk
4
1
Fork 3
Files Issues 1 Pull Requests 0 Wiki
Browse Source

ip6tables review

Init-script and config based on the IPv4-ones, but all NAT-related stuff
dropped.
Phil Sutter 14 years ago
parent
39d8800fe6
commit
6e43615873
4 changed files with 135 additions and 3 deletions
Split View Show Diff Stats
  1. 5 3
      package/iptables/Makefile
  2. 98 0
      package/iptables/files/firewall6.conf
  3. 31 0
      package/iptables/files/firewall6.init
  4. 1 0
      package/iptables/files/iptables.postinst

+ 5 - 3
package/iptables/Makefile
View File 

@@ -14,6 +14,8 @@ PKG_DEPENDS+=		kmod-nf-conntrack-ipv4 kmod-nf-nat
 
 PKG_DEPENDS+=		kmod-ip-nf-target-masquerade kmod-ip-nf-target-reject
 
 PKG_DEPENDS+=		kmod-ip-nf-filter kmod-ip-nf-match-state 
 PKG_DEPENDS+=		kmod-netfilter-xt-target-tcpmss
 
+PKG_DEPENDS6:=		kmod-ip6-nf-iptables kmod-nf-conntrack-ipv6
 
+PKG_DEPENDS6+=		kmod-ip6-nf-filter kmod-ip6-nf-target-reject
 
 PKG_URL:=		http://www.netfilter.org
 
 PKG_SITES:=		http://www.netfilter.org/projects/iptables/files/ \
 
 			ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
 
@@ -29,7 +31,7 @@ include ${TOPDIR}/mk/package.mk
 
 #include ${LINUX_DIR}/.config
 
 
 $(eval $(call PKG_template,IPTABLES,iptables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 
-$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
 
+$(eval $(call PKG_template,IP6TABLES,ip6tables,${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS6},${PKG_DESCR},${PKG_SECTION}))
 
 
 CONFIGURE_ARGS+=	--enable-devel
 
 
@@ -44,8 +46,8 @@ post-install: ${SUB_INSTALL-m} ${SUB_INSTALL-y}
 
 	${CP} ${WRKINST}/usr/lib/libxtables.so* ${IDIR_IPTABLES}/usr/lib
 
 
 ip6tables-install:
 
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/lib
 
-	${INSTALL_DIR} ${IDIR_IP6TABLES}/usr/sbin
 
+	${INSTALL_DIR} ${IDIR_IP6TABLES}/{usr/lib,etc,usr/sbin}
 
+	${INSTALL_DATA} ./files/firewall6.conf ${IDIR_IP6TABLES}/etc
 
 	${INSTALL_BIN} ${WRKINST}/usr/sbin/ip6tables ${IDIR_IP6TABLES}/usr/sbin/
 
 	${CP} ${WRKINST}/usr/lib/libip6tc.so* ${IDIR_IP6TABLES}/usr/lib

+ 98 - 0
package/iptables/files/firewall6.conf
View File 

@@ -0,0 +1,98 @@
 
+#!/bin/sh
 
+echo "configure /etc/firewall6.conf first."
 
+exit 1
 
+
 
+### Interfaces
 
+WAN=sixxs
 
+LAN=br0
 
+WLAN=wlan0
 
+
 
+######################################################################
 
+### Default ruleset
 
+######################################################################
 
+
 
+### Create chains
 
+ip6tables -N input_rule
 
+ip6tables -N forwarding_rule
 
+
 
+### Default policy
 
+ip6tables -P INPUT DROP
 
+ip6tables -P FORWARD DROP
 
+ip6tables -P OUTPUT DROP
 
+
 
+### INPUT
 
+###  (connections with the router as destination)
 
+
 
+# base case
 
+ip6tables -A INPUT -m state --state INVALID -j DROP
 
+ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
 
+
 
+# custom rules
 
+ip6tables -A INPUT -j input_rule
 
+
 
+# allow access from anything but WAN
 
+ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
 
+# allow icmp messages
 
+ip6tables -A INPUT -p icmp6 -j ACCEPT
 
+
 
+# reject
 
+ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 
+ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 
+
 
+### OUTPUT
 
+###  (connections with the router as source)
 
+
 
+# base case
 
+ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
 
+ip6tables -A OUTPUT -p icmp6 -j ACCEPT
 
+
 
+### FORWARD
 
+###  (connections routed through the router)
 
+
 
+# base case
 
+ip6tables -A FORWARD -m state --state INVALID -j DROP
 
+ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+
 
+# fix for broken ISPs blocking ICMPv6 "packet too big" packets
 
+#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
+
 
+# custom rules
 
+ip6tables -A FORWARD -j forwarding_rule
 
+
 
+# allow LAN
 
+ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT
 
+
 
+######################################################################
 
+### Default ruleset end
 
+######################################################################
 
+
 
+###
 
+### Connections to the router
 
+###
 
+
 
+# ssh
 
+#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
 
+
 
+# IPSec
 
+#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
 
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
 
+
 
+# OpenVPN
 
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
 
+
 
+# PPTP
 
+#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
 
+#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
 
+
 
+###
 
+###  VPN traffic
 
+###
 
+
 
+# IPSec
 
+#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
 
+#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT
 
+
 
+# OpenVPN
 
+#ip6tables -A forwarding_rule -o tun+ -j ACCEPT
 
+#ip6tables -A forwarding_rule -i tun+ -j ACCEPT

+ 31 - 0
package/iptables/files/firewall6.init
View File 

@@ -0,0 +1,31 @@
 
+#!/bin/sh
 
+#PKG iptables
 
+#INIT 45
 
+. /etc/rc.conf
 
+
 
+case $1 in
 
+autostop) ;;
 
+autostart)
 
+	test x"${firewall6:-NO}" = x"NO" && exit 0
 
+	exec sh $0 start
 
+	;;
 
+start)
 
+	. /etc/firewall6.conf
 
+	;;
 
+stop)
 
+	### Clear tables
 
+	ip6tables -F
 
+	ip6tables -X
 
+	ip6tables -P INPUT ACCEPT
 
+	ip6tables -P FORWARD ACCEPT
 
+	ip6tables -P OUTPUT ACCEPT
 
+	;;
 
+restart)
 
+	sh $0 stop
 
+	sh $0 start
 
+	;;
 
+*)
 
+	echo "Usage: $0 {start | stop | restart}"
 
+	;;
 
+esac
 
+exit $?

+ 1 - 0
package/iptables/files/iptables.postinst
View File 

@@ -2,3 +2,4 @@
 
 . $IPKG_INSTROOT/etc/functions.sh
 
 
 add_rcconf iptables firewall NO
 
+add_rcconf iptables firewall6 NO