I am setting up a firewall for ipv6 on Debian Squeeze. It is a webserver, so I think the only port that need to be open to the world for ipv6 is 80.
This is what I have:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in-new - [0:0]
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -s ::1/128 -j ACCEPT
-A OUTPUT -o lo -d ::1/128 -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -d ff02::1 -j REJECT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p IPv6-icmp -j ACCEPT
-I OUTPUT -p IPv6-icmp -j ACCEPT
-I FORWARD -p IPv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -j LOG --log-level 4 --log-prefix "IPT_INPUT: "
-A INPUT -j DROP
-A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "
-A FORWARD -j DROP
-A OUTPUT -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "
-A OUTPUT -j DROP
COMMIT
I found it somewhere on the inernet and changed it a little bit, but when I try to retore it it gives the following error:
sudo ip6tables-restore < /etc/ip6tables.firewall.rules
ip6tables-restore: line 47 failed
Any idea how to setup my ip6tables so it will work?
Thank you.