29. März 2026

Iptables-Script IPv6

Einfaches Stateful-Firewall-Script mit Iptables als Teil der Endpoint-Security für Linux-Server.

homelabiptables

#!/usr/bin/env bash

# 1. Clear current configuration.
ip6tables -F
ip6tables -F -t nat
ip6tables -X
ip6tables -Z
ip6tables -Z -t nat
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t raw -F
ip6tables -t raw -X

# 2. Create chains.
ip6tables -N TCP
ip6tables -N UDP

# 3. Set default policy.
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# 4. Standard rules.
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Rules for ICMPv6 und DHCPv6.
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT

# 5. Dispatch new connections to chains.
ip6tables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

# 6. Allow inbound TCP traffic.
# ip6tables -A TCP -p tcp --dport 22 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 80 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 139 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 443 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 445 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 1081 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 3128 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 8118 -j ACCEPT

# 8. Allow inbound UDP traffic.
# ip6tables -A UDP -p udp --dport 53 -j ACCEPT
# ip6tables -A UDP -p udp --dport 138 -j ACCEPT
# ip6tables -A UDP -p udp --dport 138 -j ACCEPT
# ip6tables -A UDP -p udp --dport 139 -j ACCEPT

# 8. Reject/Log everything else.
ip6tables -A INPUT -p udp -j LOG --log-prefix "[iptables_ipv6_udp]: " --log-level 7 --log-uid
ip6tables -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
ip6tables -A INPUT -p tcp -j LOG --log-prefix "[iptables_ipv6_tcp]: " --log-level 7 --log-uid
ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -j LOG --log-prefix "[iptables_ipv6]: " --log-level 7 --log-uid
ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

# 9. Persist rules.
mkdir -p /etc/iptables
ip6tables-save > /etc/iptables/rules.v6

# 10. Display info in terminal.
echo ""
echo "[IPv6] packets will be FILTERED."
echo ""

Siehe auch