One firewall for IPv4 and IPv6 (iptables and ip6tables)

After IPv6 setup, the firewall setup task for the new protocol appears Below I offer my script that allows you to configure the firewall immediately for IPv4 and IPv6. Although there are not so many common rules for both firewalls, it’s still more convenient for me to edit one common file than two different ones.

We will consider the most common network with one Internet connection and one local network behind the firewall. For a local network in IPv4, you need to do NAT, in IPv6 you need to route and filter packets.

If you just have one computer, then removing all references to the local network will get a suitable firewall.
')
I do not cite any specific explanations, you just need to correct a few variables at the beginning and a few “tables” in the middle.

#!/bin/bash # License: GPL3 # Author: Dmitri Gribenko <gribozavr@gmail.com> LAN_IF = " eth0 " INET_IF = " eth1 " INET_IP = " 192.0.2.123 " INET6_IF = " he-ipv6 " # for dynamic IPs: # INET_IP=$(get_ip_ipv4 $INET_IF) LOOPBACK_IF = " lo " IPTABLES = " /sbin/iptables " IP6TABLES = " /sbin/ip6tables " #IPTABLES="echo 4" #IP6TABLES="echo 6" IP = " /sbin/ip " # IPs that need to be NAT'ed to our $INET_IP. NAT_IPV4 = ' 192.168.1.3 pc1 192.168.1.4 pc2 192.168.1.5 ' # Set to 0 to disable updating IPv4 or IPv6 firewall. DO_IPV4 = " 1 " DO_IPV6 = " 1 " function get_ip_ipv4 { $IP addr show dev $1 primary | sed -n -e ' /^\s*inet / s/^\s*inet $.*$\/.\{1,2\} .*$/\1/ p ' } ipt4() { [ " $DO_IPV4 " = "1" ] && $IPTABLES " $@ " } ipt6() { [ " $DO_IPV6 " = "1" ] && $IP6TABLES " $@ " } ipt46() { ipt4 " $@ " ipt6 " $@ " } ############################################################################## ################################ filter table ################################ ############################################################################## ipt46 -t filter -P INPUT ACCEPT ipt46 -t filter -P OUTPUT ACCEPT ipt46 -t filter -P FORWARD ACCEPT ipt46 -t filter -F ipt46 -t filter -X FILTER_CHAINS46 = " bad_tcp inet_input inet_output inet_banned_input inet_banned_output inet_tcp_input inet_tcp_output inet_udp_input inet_udp_output " for i in $FILTER_CHAINS46 ; do ipt46 -t filter -N $i ipt46 -t filter -F $i done FILTER_CHAINS4 = " inet_icmp_input inet_icmp_output " for i in $FILTER_CHAINS4 ; do ipt4 -t filter -N $i ipt4 -t filter -F $i done FILTER_CHAINS6 = " inet_icmpv6_input inet_icmpv6_output inet_icmpv6_forward " for i in $FILTER_CHAINS6 ; do ipt6 -t filter -N $i ipt6 -t filter -F $i done ################################# ## filter -- INPUT ## # allow ipv6 in ipv4 ipt4 -t filter -A INPUT -p ipv6 -j ACCEPT ipt46 -t filter -A INPUT -i $LOOPBACK_IF -j ACCEPT ipt46 -t filter -A INPUT -i $LAN_IF -j ACCEPT ipt4 -t filter -A INPUT -i $INET_IF -j inet_input ipt6 -t filter -A INPUT -i $INET6_IF -j inet_input #ipt46 -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packet died: " #ipt46 -t filter -A INPUT -j LOG --log-level INFO --log-prefix "IPT INPUT packet died: " ipt46 -t filter -A INPUT -j DROP ################################# ## filter -- OUTPUT ## ipt46 -t filter -A OUTPUT -o $LOOPBACK_IF -j ACCEPT ipt46 -t filter -A OUTPUT -o $LAN_IF -j ACCEPT ipt4 -t filter -A OUTPUT -o $INET_IF -j inet_output ipt6 -t filter -A OUTPUT -o $INET6_IF -j inet_output #ipt46 -t filter -A OUTPUT -j LOG --log-level INFO --log-prefix "IPT OUTPUT: " ipt46 -t filter -A OUTPUT -j ACCEPT ################################# ## filter -- bad_tcp ## ipt46 -t filter -A bad_tcp -p tcp -m state --state NEW ! --syn -j DROP ipt46 -t filter -A bad_tcp -m state --state INVALID -j DROP ipt46 -t filter -A bad_tcp -j RETURN ################################ ## filter -- inet_input ## # filter out bad packets so they don't even reach other checks ipt46 -t filter -A inet_input -j inet_banned_input ipt46 -t filter -A inet_input -p tcp -j bad_tcp ipt46 -t filter -A inet_input -m state --state ESTABLISHED,RELATED -j ACCEPT ipt46 -t filter -A inet_input -p tcp -j inet_tcp_input ipt46 -t filter -A inet_input -p udp -j inet_udp_input ipt4 -t filter -A inet_input -p icmp -j inet_icmp_input ipt6 -t filter -A inet_input -p icmpv6 -j inet_icmpv6_input ipt4 -t filter -A inet_input -p igmp -j ACCEPT ipt46 -t filter -A inet_input -j RETURN ################################ ## filter -- inet_output ## ipt46 -t filter -A inet_output -j inet_banned_output # allow established -- fast path ipt46 -t filter -A inet_output -m state --state ESTABLISHED,RELATED -j ACCEPT ipt46 -t filter -A inet_output -p tcp -j inet_tcp_output ipt46 -t filter -A inet_output -p udp -j inet_udp_output ipt4 -t filter -A inet_output -p icmp -j inet_icmp_output ipt6 -t filter -A inet_output -p icmpv6 -j inet_icmpv6_output ipt4 -t filter -A inet_output -p igmp -j ACCEPT ipt46 -t filter -A inet_output -j RETURN ################################# ## filter -- inet_banned_input, inet_banned_output ## # Drop packets from private, local and reserved addresses. # You can add 10.0.0.0/8 if your ISP doesn't use it. # You can also add 224.0.0.0/4 if you don't use multicast. for ip in 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 240.0.0.0/5 ; do ipt4 -t filter -A inet_banned_input -s $ip -j DROP ipt4 -t filter -A inet_banned_output -d $ip -j REJECT --reject-with icmp-admin-prohibited done if [ -e /etc/firewall/inet_banned4 ] ; then while read ext_ip ; do ipt4 -t filter -A inet_banned_input -s $ext_ip -j DROP ipt4 -t filter -A inet_banned_output -d $ext_ip -j REJECT --reject-with icmp-admin-prohibited done < /etc/firewall/inet_banned4 fi if [ -e /etc/firewall/inet_banned6 ] ; then while read ext_ip ; do ipt6 -t filter -A inet_banned_input -s $ext_ip -j DROP ipt6 -t filter -A inet_banned_output -d $ext_ip -j REJECT --reject-with adm-prohibited done < /etc/firewall/inet_banned6 fi ipt46 -t filter -A inet_banned_input -j RETURN ipt46 -t filter -A inet_banned_output -j RETURN ################################# ## filter -- inet_tcp_input ## while read proto port comment ; do if [ -n " $proto " ] ; then $proto -t filter -A inet_tcp_input -p tcp --dport $port -j ACCEPT fi done <<__EOF__ ipt46 20 ftp-data ipt46 21 ftp ipt46 12500:13000 ftp-data ipt46 22 ssh __EOF__ # drop all MS stuff so that it won't clutter logs ipt46 -t filter -A inet_tcp_input -p tcp -m multiport --ports 137 , 138 , 139 , 445 -j DROP ipt46 -t filter -A inet_tcp_input -j RETURN ################################# ## filter -- inet_tcp_output ## # drop all MS stuff so that it won't clutter logs ipt46 -t filter -A inet_tcp_output -p tcp -m multiport --ports 137 , 138 , 139 , 445 -j DROP ipt46 -t filter -A inet_tcp_output -j RETURN ################################# ## filter -- inet_udp_input ## # iptv ipt4 -t filter -A inet_udp_input -p udp -d 224.0.0.0/4 -j ACCEPT # drop all MS stuff so that it won't clutter logs ipt46 -t filter -A inet_udp_input -p udp -m multiport --ports 137 , 138 , 139 , 445 -j DROP # some unknown flood on my ISP's net ipt4 -t filter -A inet_udp_input -p udp --dport 631 -j DROP ipt46 -t filter -A inet_udp_input -j RETURN ################################# ## filter -- inet_udp_output ## # drop all MS stuff so that it won't clutter logs ipt46 -t filter -A inet_udp_output -p udp -m multiport --ports 137 , 138 , 139 , 445 -j DROP ipt46 -t filter -A inet_udp_output -j RETURN ################################# ## filter -- inet_icmp_input ## # echo-reply should be handled by conntrack ipt4 -t filter -A inet_icmp_input -p icmp -m icmp --icmp-type echo -request -j ACCEPT ipt4 -t filter -A inet_icmp_input -p icmp -m icmp --icmp-type time -exceeded -j ACCEPT ipt4 -t filter -A inet_icmp_input -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT ipt4 -t filter -A inet_icmp_input -p icmp -j DROP ipt4 -t filter -A inet_icmp_input -j RETURN ################################# ## filter -- inet_icmp_output ## ipt4 -t filter -A inet_icmp_output -j RETURN ################################# ## filter -- inet_icmpv6_input ## # See RFC 4890. # echo-reply should be handled by conntrack ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type echo -request -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type packet-too-big -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type time -exceeded -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type parameter-problem -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT # Inverse neighbour discovery solicitation ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT # Inverse neighbour discovery advertisement ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 130 -j ACCEPT # Listener query ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 131 -j ACCEPT # Listener report ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 132 -j ACCEPT # Listener done ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 143 -j ACCEPT # Listener report v2 ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT # Certificate path solicitation ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT # Certificate path advertisement ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT # Multicast router advertisement ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT # Multicast router solicitation ipt6 -t filter -A inet_icmpv6_input -p icmpv6 -s fe80::/ 10 -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT # Multicast router termination ipt6 -t filter -A inet_icmpv6_input -j RETURN ################################# ## filter -- inet_icmpv6_output ## ipt6 -t filter -A inet_icmpv6_output -j RETURN ################################# ## filter -- inet_icmpv6_forward ## ipt6 -t filter -A inet_icmpv6_forward -p icmpv6 -m icmp6 --icmpv6-type echo -request -j ACCEPT ipt6 -t filter -A inet_icmpv6_forward -p icmpv6 -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT ipt6 -t filter -A inet_icmpv6_forward -p icmpv6 -m icmp6 --icmpv6-type packet-too-big -j ACCEPT ipt6 -t filter -A inet_icmpv6_forward -p icmpv6 -m icmp6 --icmpv6-type time -exceeded -j ACCEPT ipt6 -t filter -A inet_icmpv6_forward -p icmpv6 -m icmp6 --icmpv6-type parameter-problem -j ACCEPT ipt6 -t filter -A inet_icmpv6_forward -j RETURN ################################# ## filter -- FORWARD ## ipt46 -t filter -A FORWARD -i $INET_IF -j inet_banned_input ipt46 -t filter -A FORWARD -o $INET_IF -j inet_banned_output ipt46 -t filter -A FORWARD -p tcp -j bad_tcp # don't forward MS stuff ipt46 -t filter -A FORWARD -p tcp -m multiport --ports 137 , 138 , 139 , 445 -j DROP ipt46 -t filter -A FORWARD -p udp -m multiport --ports 137 , 138 , 139 , 445 -j DROP ipt6 -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ipt6 -t filter -A FORWARD -p icmpv6 -j inet_icmpv6_forward while read proto port ip comment ; do if [ -n " $proto " ] ; then ipt6 -t filter -A FORWARD -d $ip -p $proto --dport $port -j ACCEPT fi done <<__EOF__ tcp 22 ::/0 ssh tcp 80 2001:db8::1 http __EOF__ ipt6 -t filter -A FORWARD -i $INET6_IF -p tcp -j REJECT --reject-with tcp-reset ipt6 -t filter -A FORWARD -i $INET6_IF -j DROP ipt6 -t filter -A FORWARD -o $INET6_IF -j ACCEPT echo " $NAT_IPV4 " | while read int_ip comment ; do if [ -n " $int_ip " ] ; then ipt4 -t filter -A FORWARD -s $int_ip -o $INET_IF -j ACCEPT ipt4 -t filter -A FORWARD -d $int_ip -i $INET_IF -j ACCEPT fi done #ipt46 -t filter -A FORWARD -j LOG --log-level INFO --log-prefix "IPT FORWARD packet died: " ipt46 -t filter -A FORWARD -j DROP ############################################################################## ################################ mangle table ################################ ############################################################################## ipt46 -t mangle -P INPUT ACCEPT ipt46 -t mangle -P OUTPUT ACCEPT ipt46 -t mangle -P FORWARD ACCEPT ipt46 -t mangle -P PREROUTING ACCEPT ipt46 -t mangle -P POSTROUTING ACCEPT ipt46 -t mangle -F ipt46 -t mangle -X ############################################################################## ################################## nat table ################################# ############################################################################## ipt4 -t nat -P OUTPUT ACCEPT ipt4 -t nat -P PREROUTING ACCEPT ipt4 -t nat -P POSTROUTING ACCEPT ipt4 -t nat -F ipt4 -t nat -X #################################### ## nat -- PREROUTING ## # Port forwarding while read proto port int_ip comment ; do if [ -n " $proto " ] ; then ipt4 -t nat -A PREROUTING -i $INET_IF -p $proto --dport $port -j DNAT --to-destination $int_ip : $port fi done <<__EOF__ tcp 1234 192.168.1.3 something udp 5678 192.168.1.3 something else __EOF__ #################################### ## nat -- POSTROUTING ## echo " $NAT_IPV4 " | while read int_ip comment ; do if [ -n " $int_ip " ] ; then ipt4 -t nat -A POSTROUTING -s $int_ip -o $INET_IF -j SNAT --to- source $INET_IP fi done echo 1 > /proc/sys/net/ipv4/ip_forward ## ## __END__ #################################

Download: bin-login.name/rc.firewall.txt
Here you can check how firewall works for TCP in IPv6: www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

Source: https://habr.com/ru/post/82885/

All Articles

One firewall for IPv4 and IPv6 (iptables and ip6tables)

More articles: