# maulwurf firewall settings # ALL CHANGES TO THIS FILE WILL BE LOST!! EDIT THE TEMPLATE!! # version history: # 26.02.03, blackwing -> 1st try :) # 05.06.03, blackwing -> added ente # 03.06.04, blackwing -> changed to ip6tables-restore style # ip6tables restore stuff # table is filter *filter # default policies :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Reject chain -N finalize -A finalize -p tcp -j REJECT --reject-with tcp-reset -A finalize -j REJECT # accept stateful -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # allow everything on loopback -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # link-local stuff -A OUTPUT --out-interface 6win --source fe80::/64 -j ACCEPT -A OUTPUT --out-interface eth0 --source fe80::/64 -j ACCEPT -A INPUT --in-interface 6win --destination fe80::/64 -j ACCEPT -A INPUT --in-interface eth0 --destination fe80::/64 -j ACCEPT # allow ALL traffic outgoing on fxp0 -A OUTPUT --out-interface eth0 -m state --state NEW -j ACCEPT # allow traffic from maulwurf EXT -A OUTPUT --out-interface 6win -m state --state NEW -j ACCEPT # allow ALL traffic from our usernet to maulwurf -A INPUT --in-interface eth0 -j ACCEPT # allow ping probes -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT # allow maulwurf ssh -A INPUT --in-interface 6win --destination 2001:638:a00:bb::f00a:2/128 -p tcp --destination-port ssh -m state --state NEW -A INPUT --in-interface 6win --destination 2001:638:a00::f00b:1/128 -p tcp --destination-port ssh -m state --state NEW ### STATIC HOST ENTRIES ### # servers to be inserted HERE ## ente, without any protection -A FORWARD --in-interface 6win --out-interface eth0 --destination 2001:638:a00:f00b::11 -j ACCEPT -A FORWARD --in-interface eth0 --out-interface 6win --source 2001:638:a00:f00b::11 -j ACCEPT ### DYNAMIC PART ###