IPv6 for Fedora services?
Matt Domsch
Matt_Domsch at dell.com
Mon Aug 24 22:11:37 UTC 2009
On Mon, Aug 24, 2009 at 06:17:44AM +0100, David JM Emmett wrote:
> That is why ip6tables exists ;)
Here's a proposed ip6tables-template.conf.erb. It's based on the
iptables template, with all the IPv4-specific stuff stripped out.
This should let our current model of using defined per-service ports
work:
# Firewall Rules, allow HTTP traffic through
$tcpPorts = [ 80, 443, 873, 8080 ]
$udpPorts = []
$custom = []
ip6tables { "/etc/sysconfig/ip6tables":
content => template("system/ip6tables-template.conf.erb"),
}
service { "ip6tables":
ensure => running,
hasstatus => true,
}
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# loopback allowed
-A INPUT -i lo -j ACCEPT
# Accept ping and traceroute (needs icmp)
-A INPUT -p ipv6-icmp -j ACCEPT
# Established connections allowed
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Custom Services
<% custom.each do |cust| -%>
<%= cust %>
<% end -%>
# Services TCP
<% tcpPorts.each do |port| -%>
-A INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
<% end -%>
# Services UDP
<% udpPorts.each do |port| -%>
-A INPUT -m state --state NEW -m udp -p udp --dport <%= port %> -j ACCEPT
<% end -%>
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
More information about the infrastructure
mailing list