gnu_linux_server:network_configuration:firewall6
Firewall (pour IPv6)
Le firewall iptables ne gère que le filtrage des paquets en IPv4. Toutefois il existe une de iptables pour IPv6, on l'utilise grâce à la commande ip6tables. Le script qui suit est simplement une version adaptée pour IPv6 du script présenté pour IPv4.
Note : Pour plus d'informations sur le firewall iptables, se référer à la page de la version IPv4 du firewall.
### BEGIN INIT INFO # Provides: firewall6 # Required-Start: $local_fs $network # Required-Stop: $local_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Configure iptables (IPv6) # Description: Setup basic rules for iptables (IPv6) ### END INIT INFO #!/bin/bash . /lib/lsb/init-functions # In debug mode there will be more outputs # 0 to disable # 1 to enable DEBUG=0 # Print message only in debug mode # Usage: print_debug ${message} ${return_code} # ${return_code} is optional print_debug() { [ ${DEBUG} -eq 0 ] && return 0 [ $# -ne 1 ] && return 1 log_action_begin_msg ${1} } end_debug() { [ ${DEBUG} -eq 0 ] && return 0 [ $# -ne 1 ] && return 1 log_action_end_msg ${1} } deny_everything() { print_debug "Denying connections" ip6tables -t filter -P INPUT DROP ip6tables -t filter -P FORWARD DROP ip6tables -t filter -P OUTPUT DROP end_debug $? } accept_everything() { print_debug "Accepting all connections" ip6tables -t filter -P INPUT ACCEPT ip6tables -t filter -P FORWARD ACCEPT ip6tables -t filter -P OUTPUT ACCEPT end_debug $? } cleanup_tables() { print_debug "Cleaning up tables" ip6tables -t filter -F ip6tables -t filter -X end_debug $? } dont_break_connections() { print_debug "Keeping active connections" ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT end_debug $? } allow_loopback() { print_debug "Allowing loopback" ip6tables -t filter -A INPUT -i lo -j ACCEPT ip6tables -t filter -A OUTPUT -o lo -j ACCEPT end_debug $? } allow_link_local_addresses() { print_debug "Allowing Link-Local addresses" ip6tables -t filter -A INPUT -s fe80::/10 -j ACCEPT ip6tables -t filter -A OUTPUT -s fe80::/10 -j ACCEPT end_debug $? } allow_multicast_addresses() { print_debug "Allowing multicast addresses" ip6tables -t filter -A INPUT -s ff00::/8 -j ACCEPT ip6tables -t filter -A OUTPUT -s ff00::/8 -j ACCEPT end_debug $? } open_input_port() { [ $# -ne 2 ] && exit 1 print_debug "Opening input port ${2} in ${1}" ip6tables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT end_debug $? } open_output_port() { [ $# -ne 2 ] && exit 1 print_debug "Opening output port ${2} in ${1}" ip6tables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT end_debug $? } allow_input_protocol() { [ $# -ne 1 ] && exit 1 print_debug "Allowing input protocol ${1}" ip6tables -t filter -A INPUT -p "${1}" -j ACCEPT end_debug $? } allow_output_protocol() { [ $# -ne 1 ] && exit 1 print_debug "Allowing output protocol ${1}" ip6tables -t filter -A OUTPUT -p "${1}" -j ACCEPT end_debug $? } case ${1} in start) # Stop fail to ban before configuring firewall /etc/init.d/fail2ban stop log_action_begin_msg "Firewall (IPv6) configuration" deny_everything cleanup_tables dont_break_connections # Loopback allow_loopback # Specific addresses allow_link_local_addresses allow_multicast_addresses # SSH open_input_port tcp 22 open_output_port tcp 22 # DNS, FTP, HTTP, NTP open_output_port tcp 21 open_output_port tcp 80 open_output_port tcp 53 open_output_port tcp 443 open_output_port udp 53 open_output_port udp 123 # ICMP allow_input_protocol icmpv6 allow_output_protocol icmpv6 # HTTP open_input_port tcp 80 open_input_port tcp 443 # MySQL open_input_port tcp 3306 open_output_port tcp 3306 # POP, IMAP open_input_port tcp 25 open_input_port tcp 110 open_input_port tcp 995 open_input_port tcp 143 open_input_port tcp 993 open_output_port tcp 25 open_output_port tcp 110 open_output_port tcp 995 open_output_port tcp 143 open_output_port tcp 993 # Mumble open_input_port tcp 64738 open_input_port udp 64738 open_output_port tcp 64738 open_output_port udp 64738 # Bazaar open_input_port tcp 4155 open_output_port tcp 4155 # Keys server open_input_port tcp 11371 open_output_port tcp 11371 # OpenVPN open_input_port tcp 1194 open_output_port tcp 1194 # Transmission open_input_port tcp 9091 open_input_port tcp 51413 open_output_port tcp 9091 open_output_port tcp 51413 # Irssi open_input_port tcp 6667 open_input_port udp 6667 open_output_port tcp 6667 open_output_port udp 6667 # Minecraft for i in 25565 25566; do open_input_port tcp ${i} open_input_port udp ${i} open_output_port tcp ${i} open_output_port udp ${i} done # Steam for i in 7707 7708 7717 20560 28852; do open_input_port udp ${i} open_output_port udp ${i} done for i in 8075 20560 28852; do open_input_port tcp ${i} open_output_port tcp ${i} done for i in 27011 27900; do open_input_port tcp ${i} open_input_port udp ${i} open_output_port tcp ${i} open_output_port udp ${i} done # Starting fail2ban again /etc/init.d/fail2ban start log_action_end_msg 0 ;; stop) log_action_begin_msg "Remove firewall (IPv6) configuration" accept_everything cleanup_tables log_action_end_msg 0 ;; *) echo "Usage: /etc/init.d/firewall6 {start|stop}" exit 1 ;; esac exit 0
Ce script peut être placé dans /etc/init.d/ et doit avoir les droits d'exécution pour être exécuté par root. Il est aussi recommandé de d'utiliser ce script lors du démarrage du système.
update-rc.d firewall6 defaults
L'utilisation manuel s'effectue par “start” pour démarrer le firewall, et par “stop” pour accepter toutes les connexions et vider toutes les règles.
gnu_linux_server/network_configuration/firewall6.txt · Last modified: 2021/01/04 20:41 by 127.0.0.1