Re: Will this iptables script work as an ip6tables script?

To: debian-security@lists.debian.org
Subject: Re: Will this iptables script work as an ip6tables script?
From: Thomas Kapoulas <tomkap@pebkac.gr>
Date: Tue, 4 Apr 2017 19:28:18 +0300
Message-id: <[🔎] cd6cfd96-1cd3-728a-9afa-c296c0ee0bba@pebkac.gr>
In-reply-to: <[🔎] CAOO4BW1mw38BrsO2aDz2i7hhEw6GMJoQ6udbQC8ab=F67SBjow@mail.gmail.com>
References: <[🔎] CA+_zdZtt7RcOkiu8cy5odLYfPzgeALdXcu1+2k2Pz404H7zCbg@mail.gmail.com> <[🔎] CAOO4BW3shwquJ0vAOWYEmXz1C6vAN7KROTvf1NYwv7TvZjax2g@mail.gmail.com> <[🔎] CAOO4BW1mw38BrsO2aDz2i7hhEw6GMJoQ6udbQC8ab=F67SBjow@mail.gmail.com>

You can also try Ferm[1] for both of the IP domains in a single
configuration and load it automatic as systemd service in Debian[2].
I think is easier than maintaining a custom/autogenerated script, the
rules depend on what you want to do and the role of your system.

[1] http://ferm.foo-projects.org/
[2] https://packages.debian.org/stable/ferm

On 04/04/2017 04:18 PM, Gustavo Lima wrote:
> Remembering that the correct command is ip6tables
>
> 2017-04-04 10:13 GMT-03:00 Gustavo Lima <ghtp25@gmail.com
> <mailto:ghtp25@gmail.com>>:
>
>     1) You must prohibit reserved external prefixes. Example: iptables
>     -A INPUT -s 3dde::/16 -j DROP
>     Among the reserved prefixes you will find: 2001:2::/48 (rfc 5156),
>     2001:10::/28 (rfc 4843), 2001:db8::/32 (rfc 3849)
>
>     2)  If you want to release to the local link ips: iptables -A
>     INPUT -s ff02::1 -j ACCEPT
>
>     3) Some ICMP messages can not be blocked because IPv6 works other
>     than IPv4. Are they: 1, 2, 3, 4, 128, 129, 130, 131, 132, 133,
>     134, 135, 141, 142, 143, 148, 149, 151, 152, 153
>     Exemple: iptables -A INPUT -p icmpv6 --icmpv6-type 135 -d YOU -j
>     ACCEPT
>
>     To understand this see the rfc 4890
>
>     4) If you know nothing about IPv6 and are looking for information
>     to use it, congratulations. This is the attitude we need to
>     develop this protocol
>
>     2017-04-04 5:58 GMT-03:00 Jiangsu Kumquat <reply@mynetblog.com
>     <mailto:reply@mynetblog.com>>:
>
>         I like this iptables script:
>
>         http://pingie.debus.free.fr/iptables/index.php
>         <http://pingie.debus.free.fr/iptables/index.php>
>
>         What I like about it is that it filters a lot of bad packets
>         from getting through and packets that are not supposed to be
>         getting through the firewall.
>
>         I have it loading as soon as my Ethernet device comes online.
>
>         What I want to know is if it will work okay using ip6tables?
>
>         I know virtually nothing about IPv6 and am hesitant to put it
>         online if it did work. So, I would really appreciate it is
>         someone would look it over and tell me what you think about it.
>
>
>
>

-- 
Thomas Kapoulas
http://pebkac.gr

Reply to:

References:
- Will this iptables script work as an ip6tables script?
  - From: Jiangsu Kumquat <reply@mynetblog.com>
- Re: Will this iptables script work as an ip6tables script?
  - From: Gustavo Lima <ghtp25@gmail.com>
- Re: Will this iptables script work as an ip6tables script?
  - From: Gustavo Lima <ghtp25@gmail.com>

Prev by Date: Re: Will this iptables script work as an ip6tables script?
Next by Date: Re: Re: Strange file atttributes
Previous by thread: Re: Will this iptables script work as an ip6tables script?
Next by thread: Re: Re: Strange file atttributes
Index(es):
- Date
- Thread