Diese Seite (Version-45) wurde zuletzt am 29-Dez.-2024 12:08 von Administrator geändert.

Diese Seite wurde am 23-Dez.-2024 12:59 von Administrator erstellt.

Du bist nicht autorisiert, diese Seite umzubenennen.

Du bist nicht autorisiert, diese Seite zu löschen.

Versionsgeschichte der Seite

Version Zuletzt geändert Größe Autor Änderungen Kommentar
45 29-Dez.-2024 12:08 10 KB Administrator zur vorherigen
44 29-Dez.-2024 12:06 10 KB Administrator zur vorherigen | zur neuesten
43 29-Dez.-2024 12:05 10 KB Administrator zur vorherigen | zur neuesten
42 29-Dez.-2024 12:02 9 KB Administrator zur vorherigen | zur neuesten
41 29-Dez.-2024 12:01 9 KB Administrator zur vorherigen | zur neuesten

Links

Eingehende Links Ausgehende Links
Firewall with iptables
Firewall with iptables

Versionsunterschiede

Unterschiede zwischen Version und .

Zeile 67: 126 Zeilen hinzugefügt.
! Example RuleSet
This one is
* allowing dhcp, dns and router traffic
* not allowing ipv4
* allowing ipv6 for 3 distinct ipv6 addresses, these are the first three ipv6 rules, which we replace at
{{{
#!/bin/bash
SOURCE=::
# ipv4 ------------------------------------
# Flush all rules and delete all chains for a clean startup
iptables -F
iptables -X
iptables -Z # Zero out all counters
# enable dns nameserver
iptables -A INPUT -s 1.1.1.1 -j ACCEPT # cloudflare
iptables -A OUTPUT -d 1.1.1.1 -j ACCEPT
iptables -A INPUT -s 8.8.8.8 -j ACCEPT # google
iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
# connection
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# enable router for dhcp
iptables -A INPUT -s 192.168.188.1/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.188.1/24 -j ACCEPT
# enable dns
iptables -A INPUT -p udp -m multiport --sport 53,67,68,90,135,853,5353,8245 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport 53,67,68,90,135,853,5353,8245 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -m udp -m multiport --dports 67:68 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 67:68 -j ACCEPT
# enable dhcp
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 134 -m comment --comment router-advertisement -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 135 -m comment --comment neighbor-solicitation -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 136 -m comment --comment neighbor-advertisement -j ACCEPT
# allow local loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# drop everything else
iptables -A INPUT DROP
iptables -P FORWARD -j DROP
iptables -A OUTPUT -j DROP
# ipv6 ------------------------------------
# Flush all rules and delete all chains for a clean startup
ip6tables -F
ip6tables -X
ip6tables -Z
# drop all ipv6 traffic, except special ipv6, see below
# do not limit to --dport 22, because the source has random ports (?)
# add first to enabel replacing 1. rule later
# placeholder for first device
ip6tables -A INPUT -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT
# placeholder for second device
ip6tables -A INPUT -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT
# placeholder for third device
ip6tables -A INPUT -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT
# dns nameserver
ip6tables -A INPUT -s 2606:4700:4700::1111 -j ACCEPT # cloudflare
ip6tables -A OUTPUT -d 2606:4700:4700::1111 -j ACCEPT
ip6tables -A INPUT -s 2001:4860:4860::8888 -j ACCEPT # google
ip6tables -A OUTPUT -d 2001:4860:4860::8888 -j ACCEPT
# connection
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# enable dhcp
ip6tables -A INPUT -s fd94::/16 -j ACCEPT
ip6tables -A OUTPUT -d fd94::/16 -j ACCEPT
ip6tables -A INPUT -s fe80::/16 -j ACCEPT
ip6tables -A OUTPUT -d fe80::/16 -j ACCEPT
# enable dns
ip6tables -A INPUT -p udp -m multiport --sport 53,67,68,90,135,853,5353,8245 -j ACCEPT
ip6tables -A OUTPUT -p udp -m multiport --dport 53,67,68,90,135,853,5353,8245 -j ACCEPT
# enable dhcp
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
#ip6tables -A INPUT -i eth0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m comment --comment router-advertisement -j ACCEPT
#ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m comment --comment neighbor-solicitation -j ACCEPT
#ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m comment --comment neighbor-advertisement -j ACCEPT
# allow ipv6 local loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# drop everthing else
ip6tables -P FORWARD DROP # as policy generally
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
# update first ip6tables rules and enable EbelStube
/home/markus/update_ip6tables.py
echo "---- iptables ----"
iptables -vnL
echo
echo "---- ip6tables ----"
ip6tables -vnL
}}}
Diese Seite (Version-45) wurde zuletzt am 29-Dez.-2024 12:08 von Administrator geändert.Top