Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
R
re6stnet
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
2
Issues
2
List
Boards
Labels
Milestones
Merge Requests
4
Merge Requests
4
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
re6stnet
Commits
7ea5aa2a
Commit
7ea5aa2a
authored
Mar 13, 2018
by
Julien Muchembled
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
doc: extend fw example to warn about --interface and --ipv4
parent
3a89d3d9
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
16 additions
and
4 deletions
+16
-4
examples/iptables-rules.sh
examples/iptables-rules.sh
+16
-4
No files found.
examples/iptables-rules.sh
View file @
7ea5aa2a
#!/bin/sh
#
# Example iptables/ip6tables rules
for re6st on a desktop computer: REJECT
# everything by default:
# Example iptables/ip6tables rules
on a desktop computer when re6st is only
#
used to build an IPv6 overlay network. REJECT
everything by default:
#
# - Incoming traffic (INPUT): only open ports needed for re6st and also allow
# packets associated with an existing connection (ESTABLISHED, RELATED).
#
# - Forwarding traffic (FORWARD):
do nothing as
a re6st node is a router and
# - Forwarding traffic (FORWARD): a re6st node is a router and
# it is crucial that it never drops any packet between two other nodes.
#
# - Outgoing traffic (OUTPUT): allow new/existing connections (NEW,
...
...
@@ -34,15 +34,23 @@ iptables -A INPUT -p udp -m udp --sport 1900 -s $GATEWAY_IP -j ACCEPT
iptables
-A
OUTPUT
-o
lo
-j
ACCEPT
iptables
-A
OUTPUT
-m
state
--state
NEW,RELATED,ESTABLISHED
-j
ACCEPT
# more rules needed if you set up a private IPv4 network
## IPv6
ip6tables
-P
INPUT REJECT
ip6tables
-P
FORWARD REJECT
ip6tables
-P
OUTPUT REJECT
ip6tables
-N
RE6ST
ip6tables
-A
RE6ST
-i
re6stnet+
-j
ACCEPT
# For every --interface option:
ip6tables
-A
RE6ST
-i
eth0
-j
ACCEPT
ip6tables
-A
INPUT
-i
lo
-j
ACCEPT
ip6tables
-A
INPUT
-m
state
--state
RELATED,ESTABLISHED
-j
ACCEPT
ip6tables
-A
INPUT
-p
udp
-m
udp
--dport
babel
--src
fe80::/10
-j
ACCEPT
# Babel
ip6tables
-A
INPUT
-
i
re6stnet+
-p
udp
-m
udp
--dport
326
-j
ACCEP
T
ip6tables
-A
INPUT
-
p
udp
-m
udp
--dport
326
-j
RE6S
T
ip6tables
-A
INPUT
-p
ipv6-icmp
-m
icmp6
--icmpv6-type
destination-unreachable
-j
ACCEPT
ip6tables
-A
INPUT
-p
ipv6-icmp
-m
icmp6
--icmpv6-type
packet-too-big
-j
ACCEPT
ip6tables
-A
INPUT
-p
ipv6-icmp
-m
icmp6
--icmpv6-type
time-exceeded
-j
ACCEPT
...
...
@@ -52,6 +60,10 @@ ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -
ip6tables
-A
INPUT
-p
icmpv6
--icmpv6-type
neighbor-solicitation
-m
hl
--hl-eq
255
-j
ACCEPT
ip6tables
-A
INPUT
-p
icmpv6
--icmpv6-type
neighbor-advertisement
-m
hl
--hl-eq
255
-j
ACCEPT
ip6tables
-A
FORWARD
-o
re6stnet+
-j
RE6ST
# Same as in RE6ST chain.
ip6tables
-A
FORWARD
-o
eth0
-j
RE6ST
ip6tables
-A
OUTPUT
-o
lo
-j
ACCEPT
ip6tables
-A
OUTPUT
-m
state
--state
NEW,RELATED,ESTABLISHED
-j
ACCEPT
ip6tables
-A
OUTPUT
-p
ipv6-icmp
-m
icmp6
--icmpv6-type
destination-unreachable
-j
ACCEPT
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment