Simple ip6tables rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 30/min \
-j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
-A INPUT -d ff02::fb/128 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables denied: " \
--log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT

Check wiki

2013-05-08 Revisited version:

*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
# http://natisbad.org/RH0/
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
# ongoing traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# ICMP
-A INPUT -p ipv6-icmp -m limit --limit 30/min -j ACCEPT
# Loopback
-A INPUT -i lo -j ACCEPT
# Logging
-A INPUT -m state --state NEW -j LOG --log-level 7 --log-prefix "IPv6 conn in: "
-A OUTPUT -m state --state NEW -j LOG --log-level 7 --log-prefix "IPv6 conn out: "     
# Allow Link-Local addresses
-A INPUT -s fe80::/10 -j ACCEPT
# Services
## HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
## SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
## SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Reject rest of traffic
-A INPUT -m limit --limit 5/min -j LOG --log-level 7 --log-prefix "IPv6 reject: "
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -m limit --limit 5/min -j LOG --log-level 7 --log-prefix "IPv6 drop: "
-A FORWARD -j DROP
COMMIT

On busy server logging needs to be considered 😉

Leave a Reply

Your email address will not be published. Required fields are marked *