JF's log

This is an IPv6 firewall configuration script, designed to be stateful.

File location: /etc/network/ip6tables
Distro: Debian stable (latest updates as of date-of-writing).

---

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in-new - [0:0]

# First, delete all:

-F
-X

# Allow anything on the local link

-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet

-A OUTPUT -o sixxs -j ACCEPT

# Allow the localnet access us:

-A INPUT    -i eth0   -j ACCEPT
-A OUTPUT   -o eth0   -j ACCEPT

# Filter all packets that have RH0 headers:

-A INPUT -m rt --rt-type 0 -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses

-A INPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast

-A INPUT -s ff00::/8 -j ACCEPT
-A OUTPUT -s ff00::/8 -j ACCEPT

# Allow ICMPv6 everywhere

-I INPUT  -p icmpv6 -j ACCEPT
-I OUTPUT -p icmpv6 -j ACCEPT
-I FORWARD -p icmpv6 -j ACCEPT

# Allow forwarding

-A FORWARD -m state --state NEW -i eth0 -o sixxs -s <prefix>::/48 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH in

-A FORWARD -i sixxs -p tcp -d <prefix>::1 --dport 22 -j ACCEPT

# Webserver in

-A FORWARD -i sixxs -p tcp -d <prefix>::80:ca7 --dport 80 -j ACCEPT

# Set the default policy

-P INPUT   DROP
-P FORWARD DROP
-P OUTPUT  DROP

COMMIT