====== Firewall (pour IPv6) ======
Le firewall **iptables** ne gère que le filtrage des paquets en IPv4. Toutefois il existe une de **iptables** pour IPv6, on l'utilise grâce à la commande **ip6tables**. Le script qui suit est simplement une version adaptée pour IPv6 du script présenté pour IPv4.
Note : Pour plus d'informations sur le firewall **iptables**, se référer à [[gnu_linux_server:network_configuration:firewall|la page de la version IPv4]] du firewall.
### BEGIN INIT INFO
# Provides: firewall6
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Configure iptables (IPv6)
# Description: Setup basic rules for iptables (IPv6)
### END INIT INFO
#!/bin/bash
. /lib/lsb/init-functions
# In debug mode there will be more outputs
# 0 to disable
# 1 to enable
DEBUG=0
# Print message only in debug mode
# Usage: print_debug ${message} ${return_code}
# ${return_code} is optional
print_debug() {
[ ${DEBUG} -eq 0 ] && return 0
[ $# -ne 1 ] && return 1
log_action_begin_msg ${1}
}
end_debug() {
[ ${DEBUG} -eq 0 ] && return 0
[ $# -ne 1 ] && return 1
log_action_end_msg ${1}
}
deny_everything() {
print_debug "Denying connections"
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP
end_debug $?
}
accept_everything() {
print_debug "Accepting all connections"
ip6tables -t filter -P INPUT ACCEPT
ip6tables -t filter -P FORWARD ACCEPT
ip6tables -t filter -P OUTPUT ACCEPT
end_debug $?
}
cleanup_tables() {
print_debug "Cleaning up tables"
ip6tables -t filter -F
ip6tables -t filter -X
end_debug $?
}
dont_break_connections() {
print_debug "Keeping active connections"
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
end_debug $?
}
allow_loopback() {
print_debug "Allowing loopback"
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
end_debug $?
}
allow_link_local_addresses() {
print_debug "Allowing Link-Local addresses"
ip6tables -t filter -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -t filter -A OUTPUT -s fe80::/10 -j ACCEPT
end_debug $?
}
allow_multicast_addresses() {
print_debug "Allowing multicast addresses"
ip6tables -t filter -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -t filter -A OUTPUT -s ff00::/8 -j ACCEPT
end_debug $?
}
open_input_port() {
[ $# -ne 2 ] && exit 1
print_debug "Opening input port ${2} in ${1}"
ip6tables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT
end_debug $?
}
open_output_port() {
[ $# -ne 2 ] && exit 1
print_debug "Opening output port ${2} in ${1}"
ip6tables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT
end_debug $?
}
allow_input_protocol() {
[ $# -ne 1 ] && exit 1
print_debug "Allowing input protocol ${1}"
ip6tables -t filter -A INPUT -p "${1}" -j ACCEPT
end_debug $?
}
allow_output_protocol() {
[ $# -ne 1 ] && exit 1
print_debug "Allowing output protocol ${1}"
ip6tables -t filter -A OUTPUT -p "${1}" -j ACCEPT
end_debug $?
}
case ${1} in
start)
# Stop fail to ban before configuring firewall
/etc/init.d/fail2ban stop
log_action_begin_msg "Firewall (IPv6) configuration"
deny_everything
cleanup_tables
dont_break_connections
# Loopback
allow_loopback
# Specific addresses
allow_link_local_addresses
allow_multicast_addresses
# SSH
open_input_port tcp 22
open_output_port tcp 22
# DNS, FTP, HTTP, NTP
open_output_port tcp 21
open_output_port tcp 80
open_output_port tcp 53
open_output_port tcp 443
open_output_port udp 53
open_output_port udp 123
# ICMP
allow_input_protocol icmpv6
allow_output_protocol icmpv6
# HTTP
open_input_port tcp 80
open_input_port tcp 443
# MySQL
open_input_port tcp 3306
open_output_port tcp 3306
# POP, IMAP
open_input_port tcp 25
open_input_port tcp 110
open_input_port tcp 995
open_input_port tcp 143
open_input_port tcp 993
open_output_port tcp 25
open_output_port tcp 110
open_output_port tcp 995
open_output_port tcp 143
open_output_port tcp 993
# Mumble
open_input_port tcp 64738
open_input_port udp 64738
open_output_port tcp 64738
open_output_port udp 64738
# Bazaar
open_input_port tcp 4155
open_output_port tcp 4155
# Keys server
open_input_port tcp 11371
open_output_port tcp 11371
# OpenVPN
open_input_port tcp 1194
open_output_port tcp 1194
# Transmission
open_input_port tcp 9091
open_input_port tcp 51413
open_output_port tcp 9091
open_output_port tcp 51413
# Irssi
open_input_port tcp 6667
open_input_port udp 6667
open_output_port tcp 6667
open_output_port udp 6667
# Minecraft
for i in 25565 25566; do
open_input_port tcp ${i}
open_input_port udp ${i}
open_output_port tcp ${i}
open_output_port udp ${i}
done
# Steam
for i in 7707 7708 7717 20560 28852; do
open_input_port udp ${i}
open_output_port udp ${i}
done
for i in 8075 20560 28852; do
open_input_port tcp ${i}
open_output_port tcp ${i}
done
for i in 27011 27900; do
open_input_port tcp ${i}
open_input_port udp ${i}
open_output_port tcp ${i}
open_output_port udp ${i}
done
# Starting fail2ban again
/etc/init.d/fail2ban start
log_action_end_msg 0
;;
stop)
log_action_begin_msg "Remove firewall (IPv6) configuration"
accept_everything
cleanup_tables
log_action_end_msg 0
;;
*)
echo "Usage: /etc/init.d/firewall6 {start|stop}"
exit 1
;;
esac
exit 0
Ce script peut être placé dans ///etc/init.d/// et doit avoir les droits d'exécution pour être exécuté par **root**. Il est aussi recommandé de d'utiliser ce script lors du démarrage du système.
update-rc.d firewall6 defaults
L'utilisation manuel s'effectue par "start" pour démarrer le firewall, et par "stop" pour accepter toutes les connexions et vider toutes les règles.