Linux IPv6 Iptables Firewall Script

by on January 23, 2009 · 0 comments

  1. #!/bin/bash
  2. # A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
  3. # -------------------------------------------------------------------------
  4. # Copyright (c) 2007 nixCraft project <http://www.cyberciti.biz/fb/>
  5. # This script is licensed under GNU GPL version 2.0 or above
  6. # -------------------------------------------------------------------------
  7. # This script is part of nixCraft shell script collection (NSSC)
  8. # Visit http://bash.cyberciti.biz/ for more information.
  9. # ----------------------------------------------------------------------
  10. # Last updated on Jan-23, 2008 : Added support for tcp packets
  11. # ---------------------------------------------------------------------------
  12. IPT6="/sbin/ip6tables"
  13.  
  14. # Interfaces
  15. PUB_IF="eth1"
  16. PUB_LO="lo0"
  17. PUB_VPN="eth0"
  18.  
  19. # Custom chain names
  20. CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
  21. HTTP_SERVER_6="2001:470:1f04:55a::2 2001:470:1f04:55a::3 2001:470:1f04:55a::4 2001:470:1f04:55a::5"
  22.  
  23. echo "Starting IPv6 firewall..."
  24. # first clean old mess
  25. $IPT6 -F
  26. $IPT6 -X
  27. $IPT6 -Z
  28. for table in $(</proc/net/ip6_tables_names)
  29. do
  30. $IPT6 -t $table -F
  31. $IPT6 -t $table -X
  32. $IPT6 -t $table -Z
  33. done
  34. $IPT6 -P INPUT ACCEPT
  35. $IPT6 -P OUTPUT ACCEPT
  36. $IPT6 -P FORWARD ACCEPT
  37.  
  38. # Set default DROP all
  39. $IPT6 -P INPUT DROP
  40. $IPT6 -P OUTPUT DROP
  41. $IPT6 -P FORWARD DROP
  42.  
  43. # Create the chain
  44. for c in $CHAINS
  45. do $IPT6 --new-chain $c
  46. done
  47.  
  48. # Input policy
  49. $IPT6 -A INPUT -i $PUB_LO -j ACCEPT
  50. $IPT6 -A INPUT -i $PUB_VPN -j ACCEPT
  51. $IPT6 -A INPUT -i $PUB_IF -j chk_tcp6_packets_chain
  52. $IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
  53. $IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound
  54. $IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound
  55. $IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets
  56. $IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets
  57. $IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
  58. $IPT6 -A INPUT -i $PUB_IF -j DROP
  59.  
  60. # Output policy
  61. $IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
  62. $IPT6 -A OUTPUT -o $PUB_VPN -j ACCEPT
  63. $IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT
  64. $IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
  65.  
  66. ### Custom chains ###
  67. # Bad packets chk
  68. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
  69. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
  70. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
  71. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
  72. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp"
  73. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
  74. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp"
  75. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
  76. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
  77. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  78. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
  79. $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  80. $IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN
  81.  
  82. # Open TCP Ports
  83. # Open http port
  84. for h in $HTTP_SERVER_6
  85. do
  86. $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 80 -d $h -j ACCEPT
  87. done
  88.  
  89. # Open 53 port
  90. $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
  91. ###############################
  92. # Add your rules below to open other TCP ports
  93. # Open smtp
  94. # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
  95. # Open pop3
  96. # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 113 -j ACCEPT
  97. # Open ssh
  98. # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
  99. ###############################
  100. # do not modify following rule
  101. $IPT6 -A chk_tcp_inbound -p tcp -j RETURN
  102.  
  103. # Open UDP Ports
  104. # Open dns 53 udp
  105. $IPT6 -A chk_udp_inbound -p udp -m udp --dport 53 -j ACCEPT
  106. ###############################
  107. # Add your rules below to open other UDP ports
  108. #
  109. ###############################
  110. # do not modify following rule
  111. $IPT6 -A chk_udp_inbound -p udp -j RETURN
  112.  
  113. # ICMP - allow ping pong
  114. $IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT
  115. $IPT6 -A chk_icmp_packets -p icmp -j RETURN


4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates!

Click here to subscribe via email.

Previous Script:

Next Script: