Re: ip6tables icmp conntracking on 2.6.18 vs 2.6.24

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolas KOWALSKI <niko@petole.dyndns.org>
To: netfilter@vger.kernel.org
Subject: Re: ip6tables icmp conntracking on 2.6.18 vs 2.6.24
Date: Fri, 04 Apr 2008 19:57:00 +0200	[thread overview]
Message-ID: <87y77tpkpf.fsf@petole.dyndns.org> (raw)
In-Reply-To: <20080404123940.GA9157@piper.oerlikon.madduck.net>

martin f krafft <madduck@madduck.net> writes:

> Ideally, however, --syn is no longer needed if you do
>
>   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -m state --state INVALID -j DROP
>   -A INPUT -m state --state NEW -j in-new
>
>   -A in-new -p tcp --dport 22 -j ACCEPT
>   [...]
>
>   -A INPUT -j log-and-drop
>
> I /think/ this is the correct way to write iptables rules, but
> please correct me if I am wrong, anyone!

Ok, I use your suggestion.

> Now make sure that your hosts don't honour redirects. I actually
> don't think passing *all* ICMPv6 is a good idea. Do read the RFC
> (see followup thread).

I read the RFC (whose example script contains typos). "Just for fun",
I applied the recommandations, and ended up with the following. Note
the ruleset for ICMPv6... This is getting scary, isn't it ? These
certainly need some cleanup, but you get it.


# Generated by ip6tables-save v1.3.6 on Fri Apr  4 19:54:58 2008
*filter
:INPUT ACCEPT [1:200]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:360]
:IN-NEW - [0:0]
:icmpv6-filter - [0:0]
:icmpv6-filter-from-internal - [0:0]
:icmpv6-filter-to-internal - [0:0]
:icmpv6-filter-to-internal-s - [0:0]
-A INPUT -s ::/0 -d ::/0 -i lo -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j DROP
-A INPUT -s ::/0 -d ::/0 -m state --state NEW -j IN-NEW
-A INPUT -s ::/0 -d ::/0 -j DROP
-A FORWARD -s ::/0 -d ::/0 -p ipv6-icmp -j icmpv6-filter
-A FORWARD -s ::/0 -d 2001:6f8:3f1::/48 -i sixxs -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -o sixxs -j ACCEPT
-A FORWARD -s ::/0 -d ::/0 -j DROP
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 25 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 80 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 443 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 465 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -p tcp -m tcp --dport 993 -j ACCEPT
-A IN-NEW -s ::/0 -d ::/0 -j DROP
-A icmpv6-filter -s ::/0 -d fe80::/10 -p ipv6-icmp -j DROP
-A icmpv6-filter -s fe80::/10 -d ::/0 -p ipv6-icmp -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 138 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -m state --state RELATED,ESTABLISHED -m icmp6 --icmpv6-type 129 -j ACCEPT
-A icmpv6-filter -s 2001:6f8:3f1::/48 -d ::/0 -j icmpv6-filter-from-internal
-A icmpv6-filter -s ::/0 -d 2001:6f8:3f1::/48 -j icmpv6-filter-to-internal
-A icmpv6-filter -s ::/0 -d ::/0 -p ipv6-icmp -j DROP
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter-from-internal -s ::/0 -d ::/0 -j DROP
-A icmpv6-filter-to-internal -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j icmpv6-filter-to-internal-s
-A icmpv6-filter-to-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmpv6-filter-to-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
-A icmpv6-filter-to-internal -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
-A icmpv6-filter-to-internal -s ::/0 -d ::/0 -j DROP
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter-to-internal-s -s ::/0 -d ::/0 -j DROP
COMMIT
# Completed on Fri Apr  4 19:54:58 2008


-- 
Nicolas

next prev parent reply	other threads:[~2008-04-04 17:57 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-02 21:26 ip6tables icmp conntracking on 2.6.18 vs 2.6.24 martin f krafft
2008-04-02 21:44 ` Petr Pisar
2008-04-02 21:57   ` Jan Engelhardt
2008-04-02 22:05   ` martin f krafft
2008-04-03  8:18 ` martin f krafft
2008-04-03  9:29   ` Pascal Hambourg
2008-04-03  9:36     ` Nicolas KOWALSKI
2008-04-03 10:26     ` martin f krafft
2008-04-03 15:07       ` Pascal Hambourg
2008-04-03 15:23         ` martin f krafft
2008-04-03 23:00           ` Pascal Hambourg
2008-04-03 23:03             ` Pascal Hambourg
2008-04-04  8:50             ` martin f krafft
2008-04-04 16:19               ` Pascal Hambourg
2008-04-08 13:15                 ` martin f krafft
2008-04-03 15:35         ` Nicolas KOWALSKI
2008-04-03 15:38           ` martin f krafft
2008-04-03 15:48             ` Nicolas KOWALSKI
2008-04-04  8:51               ` martin f krafft
2008-04-04  8:57                 ` Nicolas KOWALSKI
2008-04-04 11:04                   ` martin f krafft
2008-04-04 11:59                     ` Nicolas KOWALSKI
2008-04-04 12:39                       ` martin f krafft
2008-04-04 17:57                         ` Nicolas KOWALSKI [this message]
2008-04-03 16:14             ` Jozsef Kadlecsik
2008-04-04  6:22               ` martin f krafft
2008-04-04  9:39                 ` Jozsef Kadlecsik
2008-04-04  7:32               ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables (was: ip6tables icmp conntracking on 2.6.18 vs 2.6.24) martin f krafft
2008-04-04  9:12                 ` Jozsef Kadlecsik
2008-04-04 11:15                   ` martin f krafft
2009-03-11 12:44                     ` martin f krafft
2009-03-21 13:43                       ` RFC 4890 (icmpv6 firewall recommendations) and ip6tables Chris Hills

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y77tpkpf.fsf@petole.dyndns.org \
    --to=niko@petole.dyndns.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.