Initial commit

files/iptables/ip6tables.rules

@@ -0,0 +1,48 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+:SSH - [0:0]
+
+# Drop packets with RH0 headers
+-A INPUT -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+
+# Rate limit ping requests
+-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+
+# Accept established connections
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept all traffic on loopback interface
+-A INPUT -i lo -j ACCEPT
+
+# Drop packets declared invalid
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# SSH rate limiting
+-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
+-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
+-A SSH -m recent --name sshbf --set -j ACCEPT
+
+# Send TCP and UDP connections to their respective rules chain
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
+
+# Reject dropped packets with a RFC compliant responce
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+
+## TCP PORT RULES
+# -A TCP -p tcp -j LOG
+
+## UDP PORT RULES
+# -A UDP -p udp -j LOG
+
+COMMIT