Trang chủ Khám phá Trợ giúp
Đăng nhập
RISCI_ATOM
/
cjdns
mirror of https://github.com/cjdelisle/cjdns.git
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: 2801509902
Branches Tags
cjdns
/
contrib
/
bash
/
ip6tables.sh

ip6tables.sh 2.2 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. #!/bin/sh -e
    2. 

  2. #
    3. 

  3. # You may redistribute this program and/or modify it under the terms of
    4. 

  4. # the GNU General Public License as published by the Free Software Foundation,
    5. 

  5. # either version 3 of the License, or (at your option) any later version.
    6. 

  6. #
    7. 

  7. # This program is distributed in the hope that it will be useful,
    8. 

  8. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    9. 

  9. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    10. 

  10. # GNU General Public License for more details.
    11. 

  11. #
    12. 

  12. # You should have received a copy of the GNU General Public License
    13. 

  13. # along with this program.  If not, see <https://www.gnu.org/licenses/>.
    14. 

  14. #
    15. 

  15. # Simple example IPv6 Firewall configuration.
    16. 

  16. # Derived from http://www.exp-networks.be/blog/ipv6-firewall/
    17. 

  17. #
    18. 

  18. # permits only outbound, connected and core ICMP messages on tun0
    19. 

  19. # - does not filter other interfaces at all.
    20. 

  20. # - Adds one rule to the INPUT chain
    21. 

  21. # - Adds a new chain for tun0
    22. 

  22. # - edit and change the INPUT_PORTS rules to run services.
    23. 

  23. # - there is no stop facility - if you can't figure out how to reset an
    24. 

  24. #   ip6tables firewall, you shouldn't do so!
    25. 

  25. #
    26. 

  26. 

  27. # Error if ip6tables is not in the path.
    28. 

  28. which ip6tables
    29. 

  29. 

  30. # Inbound TCP ports
    31. 

  31. TCP_INPUT_PORTS=""
    32. 

  32. 

  33. # Inbound UDP ports
    34. 

  34. UDP_INPUT_PORTS=""
    35. 

  35. 

  36. # Allowed ICMP messages
    37. 

  37. ALLOWED_ICMP="\
    38. 

  38. echo-request \
    39. 

  39. echo-reply \
    40. 

  40. "
    41. 

  41. 

  42. # There is no 'assert a chain exists.
    43. 

  43. ip6tables -N CJD || ip6tables -F CJD
    44. 

  44. # Link the new table into the master INPUT table.
    45. 

  45. ip6tables -C INPUT -i tun0 -j CJD || ip6tables -I INPUT -i tun0 -j CJD
    46. 

  46. 

  47. # Allow related and established connection.
    48. 

  48. ip6tables -A CJD -m state --state RELATED,ESTABLISHED -j ACCEPT
    49. 

  49. 

  50. # Allow ICMP as defined in ALLOWED_ICMP
    51. 

  51. if [ -n "$ALLOWED_ICMP" ] ; then
    52. 

  52.  for ICMP_TYPE in $ALLOWED_ICMP; do
    53. 

  53.   ip6tables -A CJD -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
    54. 

  54.  done
    55. 

  55. fi
    56. 

  56. 

  57. # Open allowed TCP ports if any
    58. 

  58. if [ -n "$TCP_INPUT_PORTS" ] ; then
    59. 

  59.  for PORT in $TCP_INPUT_PORTS; do
    60. 

  60.   ip6tables -A CJD -m state --state NEW -p tcp --dport ${PORT} \
    61. 

  61.   -j ACCEPT
    62. 

  62.  done
    63. 

  63. fi
    64. 

  64. 

  65. # Open allowed UDP ports if any
    66. 

  66. if [ -n "$UDP_INPUT_PORTS" ] ; then
    67. 

  67.  for PORT in $UDP_INPUT_PORTS; do
    68. 

  68.   ip6tables -A CJD -m state --state NEW -p udp --dport ${PORT} \
    69. 

  69.   -j ACCEPT
    70. 

  70.  done
    71. 

  71. fi
    72. 

  72. 

  73. # Deny all other traffic on tun0
    74. 

  74. ip6tables -A CJD -j LOG
    75. 

  75. ip6tables -A CJD -j DROP
    76.