Am 14.07.2013 08:53, schrieb James Hogarth: >> It might be a good idea, then, to configure ip6tables to deny everything and enable it just to be sure. > > And this is one of the reasons that firewalld has come about... The same rule (unless it specifies a family or has > addressees in the rule of that family) gets applied to both protocols. so show me how do firewalld implement the rule sbelow which are my daily job (the second block especially for NAT/Routing) remember that there is an IT world outside the ordianry user and shiny GUIs # Input-Controls $IPTABLES -A INPUT ! -i lo -f -j DROP $IPTABLES -A INPUT ! -i lo -m conntrack --ctstate INVALID -j DROP $IPTABLES -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW --dport 0 -j DROP $IPTABLES -A INPUT ! -i lo -p udp -m conntrack --ctstate NEW --dport 0 -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP $IPTABLES -A INPUT ! -i lo -p tcp ! --syn -m conntrack --ctstate NEW -j DROP $IPTABLES -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m ttl --ttl-lt 5 -j DROP $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p udp -m ttl --ttl-lt 5 -j DROP PORTSCAN_TRIGGERS_1="19,24,52,79,109,142,442,464,548,586,631,992,994,3305" PORTSCAN_TRIGGERS_2="23,137,138,139,445,3389,5900" $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m recent --name portscan1 --rcheck --seconds 3 -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m recent --name portscan1 --remove $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m limit --limit 5/h -j LOG --log-level debug --log-prefix "Firewall Portscan: " $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m tcp -m recent --name portscan1 --set -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m recent --name portscan2 --rcheck --seconds 3 -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m recent --name portscan2 --remove $IPTABLES -A INPUT ! -i lo ! -s $LAN_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_2 -m tcp -m recent --name portscan2 --set -j REJECT --reject-with tcp-reset echo "DOS-PROTECTION: Nicht mehr als $RATE_CONTROL_MAX NEUE Verbindungen pro 2-Sekunden/Client-IP (Rate-Control)" $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --set $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall Rate-Control: " $IPTABLES -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --set $IPTABLES -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP $IPTABLES -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall Rate-Control: " $IPTABLES -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit --connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall Slowloris: " $IPTABLES -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit --connlimit-above $CONNECTION_MAX -j DROP echo "NAT Routing / Forwarding" $IPTABLES -A FORWARD -i eth1 -m conntrack --ctstate INVALID -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp -m conntrack --ctstate NEW --dport 0 -j DROP $IPTABLES -A FORWARD -i eth1 -p udp -m conntrack --ctstate NEW --dport 0 -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp --tcp-flags ACK,URG URG -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp ! --syn -m conntrack --ctstate NEW -j DROP $IPTABLES -A FORWARD -i eth1 -s 127.0.0.0/8 -j DROP $IPTABLES -A FORWARD -i eth1 -p tcp -m ttl --ttl-lt 5 -j DROP $IPTABLES -A FORWARD -i eth1 -p udp -m ttl --ttl-lt 5 -j DROP $IPTABLES -A FORWARD -i eth1 -p all -s 10.0.0.253 -m conntrack --ctstate NEW -j DROP $IPTABLES -A INPUT -i eth1 -s $WAN_RHSOFT,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP $IPTABLES -A FORWARD -i eth1 -s $WAN_RHSOFT,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP $IPTABLES -A OUTPUT -o eth1 -s 0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP $IPTABLES -A FORWARD -i eth1 -o br0 -d $LAN_RHSOFT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o eth1 -s $LAN_RHSOFT -j ACCEPT $IPTABLES -A FORWARD -i eth1 -o br1 -d $LAN_GUEST -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br1 -o eth1 -s $LAN_GUEST -j ACCEPT $IPTABLES -A FORWARD -i tap0 -s $LOUNGE_GUEST -j DROP $IPTABLES -A FORWARD -i tap0 -s $OFFICE_VPN_IP -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_LOUNGE -d $LAN_RHSOFT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_LOUNGE -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_SOUTH -d $LAN_RHSOFT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_SOUTH -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_STOCK -d $LAN_RHSOFT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_STOCK -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_FLOW -d $LAN_RHSOFT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_FLOW -j ACCEPT $IPTABLES -A FORWARD -i br0 -o vmnet8 -s $LAN_RHSOFT -d $LAN_VMWARE -j ACCEPT $IPTABLES -A FORWARD -i vmnet8 -o br0 -s $LAN_VMWARE -d $LAN_RHSOFT -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o vmnet8 -s $OFFICE_VPN_IP -d $LAN_VMWARE -j ACCEPT $IPTABLES -A FORWARD -i vmnet8 -o tap0 -s $LAN_VMWARE -d $OFFICE_VPN_IP -j ACCEPT $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 5060 -j DNAT --to-destination $RHSOFT_VOIP $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 50600 -j DNAT --to-destination $RHSOFT_HANDY $IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_RHSOFT -j MASQUERADE $IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_GUEST -j MASQUERADE $IPTABLES -A POSTROUTING -o tap0 -t nat -s $LAN_RHSOFT -j MASQUERADE $IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $LAN_RHSOFT -j MASQUERADE $IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $OFFICE_VPN_IP -j MASQUERADE $IPTABLES -A FORWARD -j DROP $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > It's time to stop ignoring it and treating ipv6 with the same level of care you do ipv4 no it is time to take care if i have at least at home *or* at office the possibility of a public ipv6 address which is not the case > ... If you really don't care about it then it's trivial to just have a drop all rule in > ip6tables until you do care... again my question was why "ipv6.disable=1" on F19 with a 3.10.fc20 kernel is ignored *not* more *not* less so in a regular wolrd this thread would have 3-5 posts - period that i get punished because violate the etiquette but my threads are going completly off-topic twice with twice changing the subject is only ridiculous > Incidentally there are other reasons you may need ipv6 loaded on an ipv4 network that can cause headaches otherwise > such as the bonding module that has a dependency on ipv6 being loaded these days... tell this my office-machine running with "ipv6.disable=1"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
