Re: IPv6 for Fedora services?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 24, 2009 at 06:17:44AM +0100, David JM Emmett wrote:
> That is why ip6tables exists ;)

Here's a proposed ip6tables-template.conf.erb.  It's based on the
iptables template, with all the IPv4-specific stuff stripped out.
This should let our current model of using defined per-service ports
work:

    # Firewall Rules, allow HTTP traffic through
    $tcpPorts = [ 80, 443, 873, 8080 ]
    $udpPorts = []
    $custom = []

    ip6tables { "/etc/sysconfig/ip6tables":
        content => template("system/ip6tables-template.conf.erb"),
    }

    service { "ip6tables":
        ensure    => running,
        hasstatus => true,
    }



------

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# loopback allowed
-A INPUT -i lo -j ACCEPT

# Accept ping and traceroute (needs icmp)
-A INPUT -p ipv6-icmp -j ACCEPT

# Established connections allowed
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Custom Services
<% custom.each do |cust| -%>
<%= cust %>
<% end -%>

# Services TCP
<% tcpPorts.each do |port| -%>
-A INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
<% end -%>

# Services UDP
<% udpPorts.each do |port| -%>
-A INPUT -m state --state NEW -m udp -p udp --dport <%= port %> -j ACCEPT
<% end -%>

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux