gnu_linux_server:network_configuration:firewall6
This is an old revision of the document!
Firewall (pour IPv6)
Script à retravailler et à vérifier (à ne pas mettre en production pour l'instant)
Le firewall iptables ne gère que le filtrage des paquets en IPv4. Toutefois il existe une de iptables pour IPv6, on l'utilise grâce à la commande ip6tables. Le script qui suit est simplement une version adaptée pour IPv6 du script présenté pour IPv4.
Note : Pour plus d'informations sur le firewall iptables, se référer à la page de la version IPv4 du firewall.
#!/bin/bash . /lib/lsb/init-functions deny_everything() { log_action_begin_msg "Denying connections" ip6tables -t filter -P INPUT DROP ip6tables -t filter -P FORWARD DROP ip6tables -t filter -P OUTPUT DROP log_action_end_msg $? } accept_everything() { log_action_begin_msg "Accepting all connections" ip6tables -t filter -P INPUT ACCEPT ip6tables -t filter -P FORWARD ACCEPT ip6tables -t filter -P OUTPUT ACCEPT log_action_end_msg $? } cleanup_tables() { log_action_begin_msg "Cleaning up tables" ip6tables -t filter -F ip6tables -t filter -X log_action_end_msg $? } dont_break_connections() { log_action_begin_msg "Keeping active connections" ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT log_action_end_msg $? } allow_loopback() { log_action_begin_msg "Allowing loopback" ip6tables -t filter -A INPUT -i lo -j ACCEPT ip6tables -t filter -A OUTPUT -o lo -j ACCEPT log_action_end_msg $? } allow_link_local_addresses() { log_action_begin_msg "Allowing Link-Local addresses" ip6tables -t filter -A INPUT -s fe80::/10 -j ACCEPT ip6tables -t filter -A OUTPUT -s fe80::/10 -j ACCEPT log_action_end_msg $? } allow_multicast_addresses() { log_action_begin_msg "Allowing multicast addresses" ip6tables -t filter -A INPUT -s ff00::/8 -j ACCEPT ip6tables -t filter -A OUTPUT -s ff00::/8 -j ACCEPT log_action_end_msg $? } open_input_port() { if [ $# -ne 2 ]; then exit 1 fi log_action_begin_msg "Opening input port ${2} in ${1}" ip6tables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT log_action_end_msg $? } open_output_port() { if [ $# -ne 2 ]; then exit 1 fi log_action_begin_msg "Opening output port ${2} in ${1}" ip6tables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT log_action_end_msg $? } allow_input_protocol() { if [ $# -ne 1 ]; then exit 1 fi log_action_begin_msg "Allowing input protocol ${1}" ip6tables -t filter -A INPUT -p "${1}" -j ACCEPT log_action_end_msg $? } allow_output_protocol() { if [ $# -ne 1 ]; then exit 1 fi log_action_begin_msg "Allowing output protocol ${1}" ip6tables -t filter -A OUTPUT -p "${1}" -j ACCEPT log_action_end_msg $? } case ${1} in start) # Stop fail to ban before configuring firewall /etc/init.d/fail2ban stop echo "Starting firewall configuration" deny_everything cleanup_tables dont_break_connections # Loopback allow_loopback # Specific addresses allow_link_local_addresses allow_multicast_addresses # SSH open_input_port tcp 22 open_output_port tcp 22 # DNS, FTP, HTTP, NTP open_output_port tcp 21 open_output_port tcp 80 open_output_port tcp 53 open_output_port tcp 443 open_output_port udp 53 open_output_port udp 123 # ICMP allow_input_protocol icmpv6 allow_output_protocol icmpv6 # HTTP open_input_port tcp 80 open_input_port tcp 443 # MySQL open_input_port tcp 3306 open_output_port tcp 3306 # POP, IMAP open_input_port tcp 25 open_input_port tcp 110 open_input_port tcp 995 open_input_port tcp 143 open_input_port tcp 993 open_output_port tcp 25 open_output_port tcp 110 open_output_port tcp 995 open_output_port tcp 143 open_output_port tcp 993 # Mumble open_input_port tcp 64738 open_input_port udp 64738 open_output_port tcp 64738 open_output_port udp 64738 # Bazaar open_input_port tcp 4155 open_output_port tcp 4155 # Keys server open_input_port tcp 11371 open_output_port tcp 11371 # OpenVPN open_input_port tcp 1194 open_output_port tcp 1194 # Transmission open_input_port tcp 9091 open_input_port tcp 51413 open_output_port tcp 9091 open_output_port tcp 51413 # Irssi open_input_port tcp 6667 open_input_port udp 6667 open_output_port tcp 6667 open_output_port udp 6667 # Minecraft for i in 25565 25566; do open_input_port tcp ${i} open_input_port udp ${i} open_output_port tcp ${i} open_output_port udp ${i} done # Steam for i in 7707 7708 7717 20560 28852; do open_input_port udp ${i} open_output_port udp ${i} done for i in 8075 20560 28852; do open_input_port tcp ${i} open_output_port tcp ${i} done for i in 27011 27900; do open_input_port tcp ${i} open_input_port udp ${i} open_output_port tcp ${i} open_output_port udp ${i} done # Starting fail2ban again /etc/init.d/fail2ban start echo "Firewall configuration done." exit 0 ;; stop) echo "Stopping firewall configuration" accept_everything cleanup_tables echo "Success" exit 0 ;; *) echo "Usage: /etc/init.d/firewall6 {start|stop}" exit 1 ;;
Ce script peut être placé dans /etc/init.d/ et doit avoir les droits d'exécution pour être exécuté par root. Il est aussi recommandé de d'utiliser ce script lors du démarrage du système.
update-rc.d firewall6 defaults
L'utilisation manuel s'effectue par “start” pour démarrer le firewall, et par “stop” pour accepter toutes les connexions et vider toutes les règles.
gnu_linux_server/network_configuration/firewall6.1327986455.txt.gz · Last modified: 2021/01/04 20:40 (external edit)