Differences

This shows you the differences between two versions of the page.

--- gnu_linux_server:network_configuration:firewall6 [2012/01/28 17:41] – créée guillaume
+++ gnu_linux_server:network_configuration:firewall6 [2021/01/04 20:41] (current) – external edit 127.0.0.1
@@ Line 6: / Line 6: @@
 <code bash>
+### BEGIN INIT INFO
+# Provides:          firewall6
+# Required-Start:    $local_fs $network
+# Required-Stop:     $local_fs $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Configure iptables (IPv6)
+# Description:       Setup basic rules for iptables (IPv6)
+### END INIT INFO
 #!/bin/bash
 . /lib/lsb/init-functions
+# In debug mode there will be more outputs
+# 0 to disable
+# 1 to enable
+DEBUG=0
+# Print message only in debug mode
+# Usage: print_debug ${message} ${return_code}
+# ${return_code} is optional
+print_debug() {
+    [ ${DEBUG} -eq 0 ] && return 0
+    [ $# -ne 1 ]       && return 1
+    log_action_begin_msg ${1}
+}
+end_debug() {
+    [ ${DEBUG} -eq 0 ] && return 0
+    [ $# -ne 1 ]       && return 1
+    log_action_end_msg ${1}
+}
 deny_everything() {
-    log_action_begin_msg "Denying connections"
+    print_debug "Denying connections"
     ip6tables -t filter -P INPUT   DROP
@@ Line 17: / Line 49: @@
     ip6tables -t filter -P OUTPUT  DROP
-    log_action_end_msg $?
+    end_debug $?
 }
 accept_everything() {
-  log_action_begin_msg "Accepting all connections"
+    print_debug "Accepting all connections"
-  ip6tables -t filter -P INPUT   ACCEPT
+    ip6tables -t filter -P INPUT   ACCEPT
-  ip6tables -t filter -P FORWARD ACCEPT
+    ip6tables -t filter -P FORWARD ACCEPT
-  ip6tables -t filter -P OUTPUT  ACCEPT
+    ip6tables -t filter -P OUTPUT  ACCEPT
-  log_action_end_msg $?
+    end_debug $?
 }
 cleanup_tables() {
-    log_action_begin_msg "Cleaning up tables"
+    print_debug "Cleaning up tables"
     ip6tables -t filter -F
     ip6tables -t filter -X
-    log_action_end_msg $?
+    end_debug $?
 }
 dont_break_connections() {
-    log_action_begin_msg "Keeping active connections"
+    print_debug "Keeping active connections"
     ip6tables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
     ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 allow_loopback() {
-    log_action_begin_msg "Allowing loopback"
+    print_debug "Allowing loopback"
     ip6tables -t filter -A INPUT  -i lo -j ACCEPT
     ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
+}
+allow_link_local_addresses() {
+    print_debug "Allowing Link-Local addresses"
+    ip6tables -t filter -A INPUT  -s fe80::/10 -j ACCEPT
+    ip6tables -t filter -A OUTPUT -s fe80::/10 -j ACCEPT
+    end_debug $?
+}
+allow_multicast_addresses() {
+    print_debug "Allowing multicast addresses"
+    ip6tables -t filter -A INPUT  -s ff00::/8 -j ACCEPT
+    ip6tables -t filter -A OUTPUT -s ff00::/8 -j ACCEPT
+    end_debug $?
 }
 open_input_port() {
-    if [ $# -ne 2 ]; then
+    [ $# -ne 2 ] && exit 1
-        exit 1
-    fi
-    log_action_begin_msg "Opening input port ${2} in ${1}"
+    print_debug "Opening input port ${2} in ${1}"
     ip6tables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 open_output_port() {
-    if [ $# -ne 2 ]; then
+    [ $# -ne 2 ] && exit 1
-        exit 1
-    fi
-    log_action_begin_msg "Opening output port ${2} in ${1}"
+    print_debug "Opening output port ${2} in ${1}"
     ip6tables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 allow_input_protocol() {
-    if [ $# -ne 1 ]; then
+    [ $# -ne 1 ] && exit 1
-        exit 1
-    fi
-    log_action_begin_msg "Allowing input protocol ${1}"
+    print_debug "Allowing input protocol ${1}"
     ip6tables -t filter -A INPUT -p "${1}" -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 allow_output_protocol() {
-    if [ $# -ne 1 ]; then
+    [ $# -ne 1 ] && exit 1
-        exit 1
-    fi
-    log_action_begin_msg "Allowing output protocol ${1}"
+    print_debug "Allowing output protocol ${1}"
     ip6tables -t filter -A OUTPUT -p "${1}" -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
@@ Line 110: / Line 152: @@
     # Stop fail to ban before configuring firewall
     /etc/init.d/fail2ban stop
-    echo "Starting firewall configuration"
+    log_action_begin_msg "Firewall (IPv6) configuration"
     deny_everything
@@ Line 118: / Line 160: @@
     # Loopback
     allow_loopback
+    # Specific addresses
+    allow_link_local_addresses
+    allow_multicast_addresses
     # SSH
@@ Line 132: / Line 178: @@
     # ICMP
-    allow_input_protocol  icmp
+    allow_input_protocol  icmpv6
-    allow_output_protocol icmp
+    allow_output_protocol icmpv6
     # HTTP
@@ Line 213: / Line 259: @@
     # Starting fail2ban again
     /etc/init.d/fail2ban start
-    echo "Firewall configuration done."
+    log_action_end_msg 0
-    exit 0
   ;;
   stop)
-    echo "Stopping firewall configuration"
+    log_action_begin_msg "Remove firewall (IPv6) configuration"
     accept_everything
     cleanup_tables
-    echo "Success"
+    log_action_end_msg 0
-    exit 0
   ;;
@@ Line 231: / Line 275: @@
     exit 1
   ;;
+esac
+exit 0
 </code>