|
@@ -0,0 +1,98 @@
|
|
|
+#!/bin/sh
|
|
|
+echo "configure /etc/firewall6.conf first."
|
|
|
+exit 1
|
|
|
+
|
|
|
+### Interfaces
|
|
|
+WAN=sixxs
|
|
|
+LAN=br0
|
|
|
+WLAN=wlan0
|
|
|
+
|
|
|
+######################################################################
|
|
|
+### Default ruleset
|
|
|
+######################################################################
|
|
|
+
|
|
|
+### Create chains
|
|
|
+ip6tables -N input_rule
|
|
|
+ip6tables -N forwarding_rule
|
|
|
+
|
|
|
+### Default policy
|
|
|
+ip6tables -P INPUT DROP
|
|
|
+ip6tables -P FORWARD DROP
|
|
|
+ip6tables -P OUTPUT DROP
|
|
|
+
|
|
|
+### INPUT
|
|
|
+### (connections with the router as destination)
|
|
|
+
|
|
|
+# base case
|
|
|
+ip6tables -A INPUT -m state --state INVALID -j DROP
|
|
|
+ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
+ip6tables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
|
|
|
+
|
|
|
+# custom rules
|
|
|
+ip6tables -A INPUT -j input_rule
|
|
|
+
|
|
|
+# allow access from anything but WAN
|
|
|
+ip6tables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
|
|
|
+# allow icmp messages
|
|
|
+ip6tables -A INPUT -p icmp6 -j ACCEPT
|
|
|
+
|
|
|
+# reject
|
|
|
+ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
|
+ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
|
|
|
+
|
|
|
+### OUTPUT
|
|
|
+### (connections with the router as source)
|
|
|
+
|
|
|
+# base case
|
|
|
+ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
|
|
|
+ip6tables -A OUTPUT -p icmp6 -j ACCEPT
|
|
|
+
|
|
|
+### FORWARD
|
|
|
+### (connections routed through the router)
|
|
|
+
|
|
|
+# base case
|
|
|
+ip6tables -A FORWARD -m state --state INVALID -j DROP
|
|
|
+ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
+
|
|
|
+# fix for broken ISPs blocking ICMPv6 "packet too big" packets
|
|
|
+#ip6tables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
+
|
|
|
+# custom rules
|
|
|
+ip6tables -A FORWARD -j forwarding_rule
|
|
|
+
|
|
|
+# allow LAN
|
|
|
+ip6tables -A FORWARD -i $LAN -o $WAN -j ACCEPT
|
|
|
+
|
|
|
+######################################################################
|
|
|
+### Default ruleset end
|
|
|
+######################################################################
|
|
|
+
|
|
|
+###
|
|
|
+### Connections to the router
|
|
|
+###
|
|
|
+
|
|
|
+# ssh
|
|
|
+#ip6tables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
|
|
|
+
|
|
|
+# IPSec
|
|
|
+#ip6tables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
|
|
|
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
|
|
|
+
|
|
|
+# OpenVPN
|
|
|
+#ip6tables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
|
|
|
+
|
|
|
+# PPTP
|
|
|
+#ip6tables -A input_rule -i $WAN -p gre -j ACCEPT
|
|
|
+#ip6tables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
|
|
|
+
|
|
|
+###
|
|
|
+### VPN traffic
|
|
|
+###
|
|
|
+
|
|
|
+# IPSec
|
|
|
+#ip6tables -A forwarding_rule -o ipsec+ -j ACCEPT
|
|
|
+#ip6tables -A forwarding_rule -i ipsec+ -j ACCEPT
|
|
|
+
|
|
|
+# OpenVPN
|
|
|
+#ip6tables -A forwarding_rule -o tun+ -j ACCEPT
|
|
|
+#ip6tables -A forwarding_rule -i tun+ -j ACCEPT
|