Firewall (pour IPv6)

Le firewall iptables ne gère que le filtrage des paquets en IPv4. Toutefois il existe une de iptables pour IPv6, on l'utilise grâce à la commande ip6tables. Le script qui suit est simplement une version adaptée pour IPv6 du script présenté pour IPv4.

Note : Pour plus d'informations sur le firewall iptables, se référer à la page de la version IPv4 du firewall.

### BEGIN INIT INFO
# Provides:          firewall6
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Configure iptables (IPv6)
# Description:       Setup basic rules for iptables (IPv6)
### END INIT INFO
 
#!/bin/bash
 
. /lib/lsb/init-functions
 
# In debug mode there will be more outputs
# 0 to disable
# 1 to enable
DEBUG=0
 
# Print message only in debug mode
# Usage: print_debug ${message} ${return_code}
# ${return_code} is optional
print_debug() {
    [ ${DEBUG} -eq 0 ] && return 0
    [ $# -ne 1 ]       && return 1
 
    log_action_begin_msg ${1}
}
 
end_debug() {
    [ ${DEBUG} -eq 0 ] && return 0
    [ $# -ne 1 ]       && return 1
 
    log_action_end_msg ${1}
}
 
deny_everything() {
    print_debug "Denying connections"
 
    ip6tables -t filter -P INPUT   DROP
    ip6tables -t filter -P FORWARD DROP
    ip6tables -t filter -P OUTPUT  DROP
 
    end_debug $?
}
 
accept_everything() {
    print_debug "Accepting all connections"
 
    ip6tables -t filter -P INPUT   ACCEPT
    ip6tables -t filter -P FORWARD ACCEPT
    ip6tables -t filter -P OUTPUT  ACCEPT
 
    end_debug $?
}
 
 
cleanup_tables() {
    print_debug "Cleaning up tables"
 
    ip6tables -t filter -F
    ip6tables -t filter -X
 
    end_debug $?
}
 
dont_break_connections() {
    print_debug "Keeping active connections"
 
    ip6tables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
    ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
    end_debug $?
}
 
allow_loopback() {
    print_debug "Allowing loopback"
 
    ip6tables -t filter -A INPUT  -i lo -j ACCEPT
    ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
 
    end_debug $?
}
 
allow_link_local_addresses() {
    print_debug "Allowing Link-Local addresses"
 
    ip6tables -t filter -A INPUT  -s fe80::/10 -j ACCEPT
    ip6tables -t filter -A OUTPUT -s fe80::/10 -j ACCEPT
 
    end_debug $?
}
 
allow_multicast_addresses() {
    print_debug "Allowing multicast addresses"
 
    ip6tables -t filter -A INPUT  -s ff00::/8 -j ACCEPT
    ip6tables -t filter -A OUTPUT -s ff00::/8 -j ACCEPT
 
    end_debug $?
}
 
open_input_port() {
    [ $# -ne 2 ] && exit 1
 
    print_debug "Opening input port ${2} in ${1}"
 
    ip6tables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT
 
    end_debug $?
}
 
open_output_port() {
    [ $# -ne 2 ] && exit 1
 
    print_debug "Opening output port ${2} in ${1}"
 
    ip6tables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT
 
    end_debug $?
}
 
allow_input_protocol() {
    [ $# -ne 1 ] && exit 1
 
    print_debug "Allowing input protocol ${1}"
 
    ip6tables -t filter -A INPUT -p "${1}" -j ACCEPT
 
    end_debug $?
}
 
allow_output_protocol() {
    [ $# -ne 1 ] && exit 1
 
    print_debug "Allowing output protocol ${1}"
 
    ip6tables -t filter -A OUTPUT -p "${1}" -j ACCEPT
 
    end_debug $?
}
 
case ${1} in
  start)
    # Stop fail to ban before configuring firewall
    /etc/init.d/fail2ban stop
    log_action_begin_msg "Firewall (IPv6) configuration"
 
    deny_everything
    cleanup_tables
    dont_break_connections
 
    # Loopback
    allow_loopback
 
    # Specific addresses
    allow_link_local_addresses
    allow_multicast_addresses
 
    # SSH
    open_input_port  tcp 22
    open_output_port tcp 22
 
    # DNS, FTP, HTTP, NTP
    open_output_port tcp  21
    open_output_port tcp  80
    open_output_port tcp  53
    open_output_port tcp 443
    open_output_port udp  53
    open_output_port udp 123
 
    # ICMP
    allow_input_protocol  icmpv6
    allow_output_protocol icmpv6
 
    # HTTP
    open_input_port tcp   80
    open_input_port tcp  443
 
    # MySQL
    open_input_port  tcp 3306
    open_output_port tcp 3306
 
    # POP, IMAP
    open_input_port  tcp  25
    open_input_port  tcp 110
    open_input_port  tcp 995
    open_input_port  tcp 143
    open_input_port  tcp 993
    open_output_port tcp  25
    open_output_port tcp 110
    open_output_port tcp 995
    open_output_port tcp 143
    open_output_port tcp 993
 
    # Mumble
    open_input_port  tcp 64738
    open_input_port  udp 64738
    open_output_port tcp 64738
    open_output_port udp 64738
 
    # Bazaar
    open_input_port  tcp 4155
    open_output_port tcp 4155
 
    # Keys server
    open_input_port  tcp 11371
    open_output_port tcp 11371
 
    # OpenVPN
    open_input_port  tcp 1194
    open_output_port tcp 1194
 
    # Transmission
    open_input_port  tcp  9091
    open_input_port  tcp 51413
    open_output_port tcp  9091
    open_output_port tcp 51413
 
    # Irssi
    open_input_port  tcp 6667
    open_input_port  udp 6667
    open_output_port tcp 6667
    open_output_port udp 6667
 
    # Minecraft
    for i in 25565 25566; do
        open_input_port  tcp ${i}
        open_input_port  udp ${i}
        open_output_port tcp ${i}
        open_output_port udp ${i}
    done
 
    # Steam
    for i in 7707 7708 7717 20560 28852; do
        open_input_port  udp ${i}
        open_output_port udp ${i}
    done
 
    for i in 8075 20560 28852; do
        open_input_port  tcp ${i}
        open_output_port tcp ${i}
    done
 
    for i in 27011 27900; do
        open_input_port  tcp ${i}
        open_input_port  udp ${i}
        open_output_port tcp ${i}
        open_output_port udp ${i}
    done
 
    # Starting fail2ban again
    /etc/init.d/fail2ban start
    log_action_end_msg 0
  ;;
 
  stop)
    log_action_begin_msg "Remove firewall (IPv6) configuration"
 
    accept_everything
    cleanup_tables
 
    log_action_end_msg 0
  ;;
 
  *)
    echo "Usage: /etc/init.d/firewall6 {start|stop}"
    exit 1
  ;;
esac
 
exit 0

Ce script peut être placé dans /etc/init.d/ et doit avoir les droits d'exécution pour être exécuté par root. Il est aussi recommandé de d'utiliser ce script lors du démarrage du système.

update-rc.d firewall6 defaults

L'utilisation manuel s'effectue par “start” pour démarrer le firewall, et par “stop” pour accepter toutes les connexions et vider toutes les règles.