Diese Seite (Version-45) wurde zuletzt am 29-Dez.-2024 12:08 von Administrator geändert.

Diese Seite wurde am 23-Dez.-2024 12:59 von Administrator erstellt.

Du bist nicht autorisiert, diese Seite umzubenennen.

Du bist nicht autorisiert, diese Seite zu löschen.

Versionsgeschichte der Seite

Version Zuletzt geändert Größe Autor Änderungen Kommentar
45 29-Dez.-2024 12:08 10 KB Administrator zur vorherigen
44 29-Dez.-2024 12:06 10 KB Administrator zur vorherigen | zur neuesten
43 29-Dez.-2024 12:05 10 KB Administrator zur vorherigen | zur neuesten
42 29-Dez.-2024 12:02 9 KB Administrator zur vorherigen | zur neuesten
41 29-Dez.-2024 12:01 9 KB Administrator zur vorherigen | zur neuesten

Links

Eingehende Links Ausgehende Links
Firewall with iptables
Firewall with iptables

Versionsunterschiede

Unterschiede zwischen Version und .

Zeile 19: 2 Zeilen gelöscht.
> sudo ip6tables -L -v # list all ipv6 rules
> sudo ip6tables -n -v --line-numbers -L # list all ipv6 rules with numeric IPs and rule number
Zeile 26: 7 Zeilen geändert.
> sudo iptables -L -v
> sudo iptables -nvL # thjis is most compact
> sudo iptables -n -v --line-numbers -L
> sudo service iptables start # activate firewalling
> sudo service ip6tables start
> sudo chkconfig iptables on # enable after reboot
> sudo chkconfig ip6tables on
> sudo ip6tables -L -v
> sudo ip6tables -nvL # thjis is most compact
> sudo ip6tables -n -v --line-numbers -L # list all ipv6 rules with numeric IPs and rule number
> sudo service ip6tables start # activate firewalling
> sudo chkconfig ip6tables on # enable after reboot
Zeile 36: Eine Zeile geändert.
iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>
ip6tables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>
Zeile 71: 64 Zeilen gelöscht.
! 4. my general ruleset
We also need to enable the local interface and the DNS nameservers.\\
I use a custom DNS server setting, because the fritzbox does not resolve my dynv6 domains (?).
{{{
> sudo nmcli -o device show # show interfaces settings
> sudo nmcli -p connection show # show interface status
#THIS IS NECESSARY
> sudo nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1,8.8.8.8" # add cloudflare and google dns
> sudo nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns no # this adds "search fritz.box" to get ips at all from frit.box
> sudo nmcli con mod "Wired connection 1" ipv6.ignore-auto-dns yes # we skip ipv6 dns
> sudo nmcli c down "Wired connection 1" && sudo nmcli c up "Wired connection 1" # restart
> sudo vi /etc/resolv.conf # validate settings
}}}
{{{
#!/bin/bash
# MARKUS
SOURCE=::
# ipv4 ------------------------------------
# Flush all rules and delete all chains for a clean startup
iptables -F
iptables -X
iptables -Z # Zero out all counters
# drop all ipv4 traffic, we want to use ipv6 only
iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A OUTPUT -d 1.1.1.1 -j ACCEPT
iptables -A INPUT -s 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# ipv6 ------------------------------------
# Flush all rules and delete all chains for a clean startup
ip6tables -F
ip6tables -X
ip6tables -Z
# drop all ipv6 traffic, except EbelStube
# do not limit to --dport 22, because the source has random ports (?)
# add first to enabel replacing 1. rule later
ip6tables -A INPUT -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT
# allow ipv6 local loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# drop everthing else
ip6tables -P FORWARD DROP # as policy generally
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
# update first ip6tables rules and enable my computer
/home/markus/update_ip6tables.py
}}}
Diese Seite (Version-45) wurde zuletzt am 29-Dez.-2024 12:08 von Administrator geändert.Top