Bonsoir,
Maintenant que mon server@home est disponible sur ipv6. Je m’attelle à essayer de gérer ip6tables.
Sans règles, on atteint le serveur sur les ports HTTP, HTTPS, et je peux pinguer sans problème.
Avec, ça passe directement dans le flux ICMPv6 pour être rejeté !
LE flux à destination du port 80, ou 443 ne rentre même pas …
Voici les règles :
*filter
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:admins6 - [0:0]
#-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i em0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i em0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
# drop bad
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s ::1/128 ! -i lo -j DROP
# accept differents services.
-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT
# ICMPv6
-A INPUT -i em0 -p icmpv6 -m limit --limit 3/s --limit-burst 7 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 1 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 2/0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 3/0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 3/1 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 4/0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 4/1 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 4/2 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 100 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 101 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 127 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 129 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 130/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 131/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 132/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 133/0 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 134/0 -s fe80::/64 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 135/0 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 136/0 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 137/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 138/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 139/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 140/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 141/0 -d ff02::1 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 142/0 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 144/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 145/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 146/0 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 147 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 148 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 149 -m state --state RELATED -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type 200 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 201 -j DROP
-A INPUT -p icmpv6 --icmpv6-type 255 -j DROP
-A INPUT -p icmpv6 -j REJECT --reject-with no-route
# OUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o em0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o em0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A OUTPUT -o em0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o em0 -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p udp -m multiport --dports 53 -m conntrack --ctstate NEW -m comment --comment "UDP (DNS, mDNS) ports authorized" -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 123 -m conntrack --ctstate NEW -m comment --comment "Others UDP ports authorized" -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 1 -m conntrack --ctstate NEW -m limit --limit 3/s --limit-burst 7 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 2/0 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 3/0 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 3/1 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 4/0 -m conntrack --ctstate NEW -m limit --limit 3/s --limit-burst 7 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 4/1 -m conntrack --ctstate NEW -m limit --limit 3/s --limit-burst 7 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 4/2 -m conntrack --ctstate NEW -m limit --limit 3/s --limit-burst 7 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 100 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 101 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 127 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 128/0 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 129/0 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 130/0 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 131/0 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 132/0 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 133/0 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 134/0 -s fe80::/64 -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 135/0 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 136/0 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 137/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 138/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 139/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 140/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 141/0 -d ff02::1 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 142/0 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 143 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 144/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 145/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 146/0 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 147 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 148 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 149 -m conntrack --ctstate NEW -m hl --hl-eq 255 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 151 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 152 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 153 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type 200 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 201 -j DROP
-A OUTPUT -p icmpv6 --icmpv6-type 255 -j DROP
-A OUTPUT -p icmpv6 -j REJECT --reject-with no-route
COMMIT
Un oeil “neuf” , comme celui de @PascalHambourg, me sera assurément utile !