Untitled
unknown
plain_text
2 years ago
14 kB
11
Indexable
#!/usr/bin/bash
FW6=/usr/sbin/ip6tables
if [ -z $FW6 ]; then
echo "ip6tables: Command not found"
exit 1
fi
SYSCTL=/sbin/sysctl
if [ -z $SYSCTL ]; then
echo "sysctl: Command not found"
exit 1
fi
PROBE=/sbin/modprobe
if [ -z $PROBE ]; then
echo "modprobe: Command not found"
exit 1
fi
ETH6="fe80::/10"
NET="0/0"
#LO6="::1"
LO6="0:0:0:0:0:0:0:1"
PA="1024:65535"
set_policy() {
# POLICY is DROP or ACCEPT
local POLICY=$1
$FW6 -P INPUT $POLICY
$FW6 -P OUTPUT $POLICY
$FW6 -P FORWARD $POLICY
}
echo "Set policy ok"
flush() {
$FW6 -F
$FW6 -F -t nat
$FW6 -X
$FW6 -X -t nat
}
echo "Flush ok"
allow_loopback() {
$FW6 -A INPUT -j ACCEPT -i lo -d $LO6
$FW6 -A OUTPUT -j ACCEPT -o lo -s $LO6
}
echo "Allow loopback ok"
allow_icmp() {
# So my conclusion is that a web server ipv6 only needs types 1,2,3,4,128,135,136
# So my conclusion is that a router ipv6 only needs types (based on OpenWrt):
# Allow-ICMPv6-Input 1,2,3,4/0,4/1,128,129,133,134,135,136
# Allow-ICMPv6-Forward 1,2,3,4/0,4/1,128,129
# Allow-MLD 130/0,131/0,132/0,143/0
$FW6 -N ALLOW_ICMP6
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 1 -d $ETH6 #destination-unreachable [All codes]
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 2 -d $ETH6 #packet-too-big
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3 -d $ETH6 #Time Exceeded
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/0 -d $ETH6 #ttl-zero-during-transit
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 3/1 -d $ETH6 #ttl-zero-during-reassembly
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4 -d $ETH6 #parameter-problem
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/0 -d $ETH6 #bad-header
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/1 -d $ETH6 #unknown-header-type
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 4/2 -d $ETH6 #unknown-option
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 128 -d $ETH6 #Echo Request
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 129 -d $ETH6 #echo-reply
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130/0 -d $ETH6 #
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131/0 -d $ETH6 #
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132/0 -d $ETH6 #
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 133 -d $ETH6 #Router Solicitation
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 134 -d $ETH6 #Router Advertisement
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 135 -d $ETH6 #Neighbor Solicitation
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 136 -d $ETH6 #Neighbor Advertisement
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 141 -d $ETH6 #Inverse Neighbor Discovery Solicitation
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 142 -d $ETH6 #Inverse Neighbor Discovery Advertisement
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143 -d $ETH6 #Listener Report v2
$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 143/0 -d $ETH6 #
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 130 -d $ETH6 #Listener Query
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 131 -d $ETH6 #Listener Report
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 132 -d $ETH6 #Listener Done
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 148 -d $ETH6 #Certificate Path Solicitation
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 149 -d $ETH6 #Certificate Path Advertisement
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 151 -d $ETH6 #Multicast Router Advertisement
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 152 -d $ETH6 #Multicast Router Solicitation
#$FW6 -A ALLOW_ICMP6 -j ACCEPT -p icmpv6 --icmpv6-type 153 -d $ETH6 #Multicast Router Termination
$FW6 -A ALLOW_ICMP6 -j ACCEPT -m limit --limit 1/s
$FW6 -A ALLOW_ICMP6 -j DROP
$FW6 -A INPUT -j ALLOW_ICMP6 -p icmpv6
$FW6 -A OUTPUT -j ALLOW_ICMP6 -p icmpv6
$FW6 -A FORWARD -j ALLOW_ICMP6 -p icmpv6
}
echo "Allow icmp ok"
service_ports() {
#Multiport ipv6 not working
#$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081
#$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA
#$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET -m multiport --dport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081
#$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET -m multiport --sport 20,21,22,25,53,80,110,143,443,993,995,3306,8080,8081 -d $ETH6 --dport $PA
# Allow DHCPv6
$FW6 -A INPUT -j ALLOW_TCP6 -p udp -s $ETH6 --sport $PA -d $NET --dport 546
# Allow LAN to acess the firewall and the internet from ports ipv6
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 80
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 443
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8080
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 8081
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 5900
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 80 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 443 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8080 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 8081 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ALLOW_TCP6 -p tcp -s $NET --sport 5900 -d $ETH6 --dport $PA
# Allow the firewall to access the internet from ports ipv6
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 80 --dport $PA
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -i eth0 --sport 443 --dport $PA
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 80
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -o eth0 --sport $PA --dport 443
}
echo "Service ports ok"
adm_ports() {
$FW6 -A INPUT -j ALLOW_TCP6 -p tcp -s $ETH6 --sport $PA -d $NET --dport 22
$FW6 -A OUTPUT -j ALLOW_TCP6 -p tcp -s $NET --sport 22 -d $ETH6 --dport $PA
}
echo "Admin ports ok"
allow_tcp() {
$FW6 -N ALLOW_TCP6
$FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp --syn
$FW6 -A ALLOW_TCP6 -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED
#test ipv6
#$FW6 -A ALLOW_TCP -j ACCEPT -p tcp --syn
#$FW6 -A ALLOW_TCP -j ACCEPT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED
# Drop undesirable packages TCP ipv6 - Not Working
#$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: NEW without syn: " -p tcp ! --syn -m state --state NEW
#$FW6 -A ALLOW_TCP -j DROP -p tcp ! --syn -m state --state NEW
# Drop packages TCP badly formed ipv6
#$FW6 -A ALLOW_TCP -j LOG --log-prefix "IP6TABLES: Badly formed: " -m unclean
#$FW6 -A ALLOW_TCP -j DROP -m unclean
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,SYN
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,RST
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL FIN,URG,PSH
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL NONE
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,URG
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL RST,PSH
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,RST
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,PSH
$FW6 -A ALLOW_TCP6 -j LOG --log-prefix "IP6TABLES: ($FLAGS): " -p tcp --tcp-flags ALL SYN,URG,PSH
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,SYN
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,RST
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL NONE
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,URG
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL RST,PSH
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,RST
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,PSH
$FW6 -A ALLOW_TCP6 -j DROP -p tcp --tcp-flags ALL SYN,URG,PSH
$FW6 -A ALLOW_TCP6 -j DROP
adm_ports
service_ports
# Logs ipv6
$FW6 -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES INPUT] : '
$FW6 -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES FORWARD] : '
$FW6 -A OUTPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IP6TABLES OUTPUT] : '
}
echo "Allow tcp ok"
accept_dns_conn() {
# To resolv internal network
$FW6 -A INPUT -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53
$FW6 -A OUTPUT -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA
$FW6 -A FORWARD -j ACCEPT -p udp -s $ETH6 --sport $PA -d $NET --dport 53
$FW6 -A FORWARD -j ACCEPT -p udp -s $NET --sport 53 -d $ETH6 --dport $PA
}
echo "Accept dns ok"
#accept_proxy() {
# $FW6 -t nat -A PREROUTING -j REDIRECT -p tcp -s $ETH6 --dport 80 -i eth1 --to-port 3128
#}
#echo "Accept proxy ok"
accept_internet() {
$FW6 -t nat -A POSTROUTING -j MASQUERADE -s $ETH6 -o eth0
}
echo "Accept internet ok"
setup_kernel() {
# Load Modules
$PROBE ip_nat_ftp
$PROBE ip_conntrack_ftp
# Load Other Modules
$PROBE iptable_nat
$PROBE iptable_filter
$PROBE ip_tables
$PROBE ip_conntrack
$PROBE ip_nat_pptp
$PROBE ipt_MASQUERADE
$PROBE ipt_LOG
#$PROBE ip_queue
$PROBE ipt_MARK
#$PROBE ipt_MIRROR
$PROBE ipt_REDIRECT
$PROBE ipt_REJECT
$PROBE ipt_TCPMSS
$PROBE ipt_TOS
$PROBE ipt_limit
$PROBE ipt_mac
$PROBE ipt_mark
$PROBE ipt_MARK
$PROBE ipt_multiport
$PROBE ipt_owner
$PROBE ipt_state
$PROBE ipt_tcpmss
$PROBE ipt_tos
#$PROBE ipt_unclean
$PROBE iptable_mangle
#$PROBE ipt_layer7 #requer compilacao do kernel
# Disable IP Spoofing attack
# echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
$SYSCTL -w net.ipv4.conf.all.rp_filter=2 > /dev/null 2>&1
# Enable IP Forward
# echo 1 > /proc/sys/net/ipv4/ip_forward
$SYSCTL -w net.ipv4.ip_forward=1 > /dev/null 2>&1
# Kill Timestamps
# echo 0 > /proc/sys/net/ipv4/tcp_timestamps
$SYSCTL -w net.ipv4.tcp_timestamps=0 > /dev/null 2>&1
# Enable protection Cookie TCP syn
$SYSCTL -w net.ipv4.tcp_syncookies=1 > /dev/null 2>&1
# Disable ICMP broadcast
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null 2>&1
# Enable protection to bad error message
$SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > /dev/null 2>&1
# It certifys that packages routed in the origin had been discarded
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > /dev/null 2>&1
# Change TTL value
$SYSCTL -w net.ipv4.ip_default_ttl=255 > /dev/null 2>&1
# Ratemask to ICMPs: 0 3 4 5 8 11 12
$SYSCTL -w net.ipv4.icmp_ratemask=6457 > /dev/null 2>&1
# Recommended values of datagram TCP thinking about DOS attack
$SYSCTL -w net.ipv4.tcp_fin_timeout=30 > /dev/null 2>&1
$SYSCTL -w net.ipv4.tcp_keepalive_time=1800 > /dev/null 2>&1
$SYSCTL -w net.ipv4.tcp_window_scaling=0 > /dev/null 2>&1
$SYSCTL -w net.ipv4.tcp_sack=0 > /dev/null 2>&1
}
echo "Setup kernel ok"
start() {
echo "Starting Firewall: "
set_policy DROP
allow_loopback
allow_icmp
allow_tcp
accept_dns_conn
#accept_proxy
accept_internet
setup_kernel
}
stop() {
echo "Stopping Firewall: "
set_policy ACCEPT
flush
}
status() {
echo ">> Showing table default: "
$FW6 -L
echo ""
echo ">> Showing table nat: "
$FW6 -L -t nat
#echo ""
#echo ">> Showing table --list: "
#$FW6 --list -v
}
restart() {
stop
start
}
# Start of the firewall script
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status
;;
internet)
accept_internet
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0
echo "Firewall ok"
#if you have problem to test the firewall. run the commands below:
#Run following command in terminal
#sed -i -e 's/\r$//' rc.firewall
#Then try
#./rc.firewall start
#It should work.Editor is loading...