iptables-rules.sh 3.34 KB
Newer Older
1 2
#!/bin/sh
#
3
# Example iptables/ip6tables rules on a desktop computer when re6st is only
4 5
# used to build an IPv6 overlay network. REJECT for INPUT and DROP everything
# by default:
6 7 8 9
#
# - Incoming traffic (INPUT): only open ports needed for re6st and also allow
#   packets associated with an existing connection (ESTABLISHED, RELATED).
#
10
# - Forwarding traffic (FORWARD): a re6st node is a router and
11 12 13 14 15 16 17 18 19 20 21 22
#   it is crucial that it never drops any packet between two other nodes.
#
# - Outgoing traffic (OUTPUT): allow new/existing connections (NEW,
#   ESTABLISHED, RELATED).
#
# WARNING: THIS SCRIPT *MUST NOT* JUST BE COPY-PASTED WITHOUT A BASIC
#          UNDERSTANDING OF IPTABLES/IP6TABLES (see iptables(8) and
#          iptables-extensions(8) manpages).

GATEWAY_IP=192.168.0.1

## IPv4
23 24
iptables -P INPUT DROP
iptables -P OUTPUT DROP
25 26 27 28 29 30 31 32 33 34

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 900/min -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 900/min -j ACCEPT
# re6st
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
# UPnP
iptables -A INPUT -p udp -m udp --sport 1900 -s $GATEWAY_IP -j ACCEPT

35 36 37
# Add custom INPUT rules before
iptables -A INPUT -j REJECT

38 39 40
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

41 42
# more rules needed if you set up a private IPv4 network

43
## IPv6
44 45 46
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
47

48 49 50 51 52
ip6tables -N RE6ST
ip6tables -A RE6ST -i re6stnet+ -j ACCEPT
# For every --interface option:
ip6tables -A RE6ST -i eth0 -j ACCEPT

53 54 55 56
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --dport babel --src fe80::/10 -j ACCEPT
# Babel
57
ip6tables -A INPUT -p udp -m udp --dport 326 -j RE6ST
58 59 60 61 62 63 64 65 66
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/min -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT

67 68 69
# Add custom INPUT rules before
ip6tables -A INPUT -j REJECT

70 71 72 73
ip6tables -A FORWARD -o re6stnet+ -j RE6ST
# Same as in RE6ST chain.
ip6tables -A FORWARD -o eth0 -j RE6ST

74 75 76 77 78 79 80 81
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT