#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# caminho do iptables
iptables="/sbin/ip6tables"
# Meus IPs
# Acrescentar os IPs v6 do servidor aqui
ips_locais="2001:DB8:XX:DEAD::2/128 FE80::XXXX:XXFF:FEXX:XXXX/128 FF02::1:FF00:0/104
FF02::1/128"
start () {
echo "Iniciando o filtro de pacotes: ip6tables..."
# A politica padrao eh recusar todos os pacotes
echo "Configurando a politica padrao para recusar todos os pacotes"
$iptables -F
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
# Permitir trafego ilimitado para o localhost
echo "Permitindo trafego ilimitado para o localhost"
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# Conexoes permitidas de entrada e saida para este servidor
for ip in $ips_locais
do
echo -n "Permitindo algumas conexoes de entrada para o este servidor (IP $ip)..."
# Abrindo o ssh para todos
echo -n "ssh "
$iptables -A INPUT -p tcp -s ::/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
$iptables -A OUTPUT -p tcp -d ::/0 --dport 513:65535 -s $ip --sport 22 -j ACCEPT
# Trafego HTTP
echo -n "http "
$iptables -A INPUT -p tcp -d $ip --dport 80 -j ACCEPT
$iptables -A OUTPUT -p tcp -s $ip --sport 80 -j ACCEPT
# Permitindo Traceroute
$iptables -A INPUT -p udp --dport 33434:65535 -d $ip -j ACCEPT
$iptables -A OUTPUT -p udp --dport 33434:65535 -s $ip -j ACCEPT
# Permitindo o envio de mensagens ICMPv6
echo -n "icmp out "
$iptables -A OUTPUT -p icmpv6 -s $ip -j ACCEPT
###### RFC 4890 #####
###### Trafego ICMPv6 que NAO DEVE ser DESCARTADO ######
echo -n "icmp in "
# ECHO REQUESTS E RESPONSES (Type 128 e 129)
# =========================
$iptables -A INPUT -p icmpv6 --icmpv6-type echo-request -d $ip -j ACCEPT
$iptables -A INPUT -p icmpv6 --icmpv6-type echo-reply -d $ip -j ACCEPT
# DESTINATION UNREACHABLE (Type 1)
# =======================
$iptables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -d $ip -j
ACCEPT
# PACKET TOO BIG (Type 2)
# ==============
$iptables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -d $ip -j ACCEPT
# TIME EXCEEDED (Type 3)
# =============
$iptables -A INPUT -p icmpv6 --icmpv6-type ttl-zero-during-transit -d $ip -j
ACCEPT
$iptables -A INPUT -p icmpv6 --icmpv6-type ttl-zero-during-reassembly -d $ip -j
ACCEPT
# PARAMETER PROBLEM (Type 4)
# =================
$iptables -A INPUT -p icmpv6 --icmpv6-type unknown-option -d $ip -j ACCEPT
$iptables -A INPUT -p icmpv6 --icmpv6-type unknown-header-type -d $ip -j ACCEPT
$iptables -A INPUT -p icmpv6 --icmpv6-type bad-header -d $ip -j ACCEPT
# NEIGHBOR DISCOVERY
# ==================
# RS (Type 133)
$iptables -A INPUT -p icmpv6 --icmpv6-type 133 -d $ip -j ACCEPT
# RA (Type 134)
$iptables -A INPUT -p icmpv6 --icmpv6-type 134 -d $ip -j ACCEPT
# NS (Type 135)
$iptables -A INPUT -p icmpv6 --icmpv6-type 135 -d $ip -j ACCEPT
# NA (Type 136)
$iptables -A INPUT -p icmpv6 --icmpv6-type 136 -d $ip -j ACCEPT
# Inverse Neighbor Discovery Solicitation (Type 141)
$iptables -A INPUT -p icmpv6 --icmpv6-type 141 -d $ip -j ACCEPT
# Inverse Neighbor Discovery Advertisement (Type 142)
$iptables -A INPUT -p icmpv6 --icmpv6-type 142 -d $ip -j ACCEPT
# MLD
# ===
# Listener Query (Type 130)
$iptables -A INPUT -p icmpv6 --icmpv6-type 130 -d $ip -j ACCEPT
# Listener Report (Type 131)
$iptables -A INPUT -p icmpv6 --icmpv6-type 131 -d $ip -j ACCEPT
# Listener Done (Type 132)
$iptables -A INPUT -p icmpv6 --icmpv6-type 132 -d $ip -j ACCEPT
# Listener Report v2 (Type 143)
$iptables -A INPUT -p icmpv6 --icmpv6-type 143 -d $ip -j ACCEPT
# SEND
# ====
# Certificate Path Solicitation (Type 148)
$iptables -A INPUT -p icmpv6 --icmpv6-type 148 -d $ip -j ACCEPT
# Certificate Path Advertisement (Type 149)
$iptables -A INPUT -p icmpv6 --icmpv6-type 149 -d $ip -j ACCEPT
# Multicast Router Discovery
# ==========================
# Multicast Router Advertisement (Type 151)
$iptables -A INPUT -p icmpv6 --icmpv6-type 151 -d $ip -j ACCEPT
# Multicast Router Solicitation (Type 152)
$iptables -A INPUT -p icmpv6 --icmpv6-type 152 -d $ip -j ACCEPT
# Multicast Router Termination (Type 153)
$iptables -A INPUT -p icmpv6 --icmpv6-type 153 -d $ip -j ACCEPT
##### Trafego ICMPv6 que NORMALMENTE NAO DEVE ser DESCARTADO #####
# Mobilidade IPv6 ### Apenas as habilite se o noh for um Noh Movel ###
# ===============
# Home Agent Address Discovery Request (Type 144)
# $iptables -A INPUT -p icmpv6 --icmpv6-type 144 -d $ip -j ACCEPT
# Home Agent Address Discovery Reply (Type 145)
# $iptables -A INPUT -p icmpv6 --icmpv6-type 145 -d $ip -j ACCEPT
# Mobile Prefix Solicitation (Type 146)
# $iptables -A INPUT -p icmpv6 --icmpv6-type 146 -d $ip -j ACCEPT
# Mobile Prefix Advertisement (Type 147)
# $iptables -A INPUT -p icmpv6 --icmpv6-type 147 -d $ip -j ACCEPT
###### Casos especificos ######
## Algumas mensagens não precisam de tratamento:
# - Router Renumbering (Type 138): Devem ser autenticadas com IPSec
#
#
## Algumas mensagens precisam de politicas especificas:
# - Redirect (Type 137): Podem oferecer riscos a segurança. Sua
# utilização deve ser estudada caso a caso.
#
#
## Mensagens ainda nao definidas pela a IANA ou de uso experimental
# devem ser sempre descartadas.
## A nao ser que exista um caso muito especifico na rede e que elas
# sejam utilizadas.
echo .
done
# Descartando tudo mais
echo "Descartando todos os demais pacotes... "
$iptables -A INPUT -s ::/0 -j DROP
$iptables -A OUTPUT -d ::/0 -j DROP
}
stop () {
echo "Parando o filtro de pacotes: ip6tables..."
$iptables -P INPUT ACCEPT
$iptables -F INPUT
$iptables -P OUTPUT ACCEPT
$iptables -F OUTPUT
$iptables -P FORWARD ACCEPT
$iptables -F FORWARD
$iptables -F LOGDROP
$iptables -X LOGDROP
echo "Todas as regras e cadeias estao limpas."
echo "Tome cuidado... Isso eh perigoso!!"
echo "Execute: ** /etc/init.d/ip6tables start ** assim que possivel."
}
status () {
$iptables --list -v
}
case "$1" in
start)
start
;;
stop)
stop
;;
try|test)
start
sleep 10
stop
;;
restart|reload|force-reload)
stop
sleep 2
start