SHARE
TWEET

Untitled

NetSpasibo79 Jun 23rd, 2019 (edited) 20 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. # rules.before
  3. #
  4. # Rules that should be run before the ufw command line added rules. Custom
  5. # rules should be added to one of these chains:
  6. #   ufw6-before-input
  7. #   ufw6-before-output
  8. #   ufw6-before-forward
  9. #
  10.  
  11. # NAT table rules
  12. *nat
  13. :PREROUTING ACCEPT [0:0]
  14. :POSTROUTING ACCEPT [0:0]
  15. -F
  16.  
  17. -A PREROUTING -i enp2s0 -p udp --dport 53 -j DNAT --to-destination fd42:a5da:c674:882c:216:3eff:fe3c:ef32
  18. -A PREROUTING -i enp2s0 -p tcp --dport 53 -j DNAT --to-destination fd42:a5da:c674:882c:216:3eff:fe3c:ef32
  19. -A PREROUTING -i enp2s0 -p tcp --dport 4711 -j DNAT --to-destination fd42:a5da:c674:882c:216:3eff:fe3c:ef32
  20.  
  21. COMMIT
  22.  
  23. # Don't delete these required lines, otherwise there will be errors
  24. *filter
  25. :ufw6-before-input - [0:0]
  26. :ufw6-before-output - [0:0]
  27. :ufw6-before-forward - [0:0]
  28. # End required lines
  29.  
  30.  
  31. # allow all on loopback
  32. -A ufw6-before-input -i lo -j ACCEPT
  33. -A ufw6-before-output -o lo -j ACCEPT
  34.  
  35. # drop packets with RH0 headers
  36. -A ufw6-before-input -m rt --rt-type 0 -j DROP
  37. -A ufw6-before-forward -m rt --rt-type 0 -j DROP
  38. -A ufw6-before-output -m rt --rt-type 0 -j DROP
  39.  
  40. # quickly process packets for which we already have a connection
  41. -A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  42. -A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  43. -A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  44.  
  45. # multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
  46. # 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
  47. # be marked INVALID, so allow here instead.
  48. -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
  49.  
  50. # drop INVALID packets (logs these in loglevel medium and higher)
  51. -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
  52. -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
  53.  
  54. # ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
  55. -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  56. -A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  57. # codes 0 and 1
  58. -A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  59. # codes 0-2 (echo-reply needs to be before INVALID, see above)
  60. -A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  61. -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  62. -A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
  63. -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
  64. -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
  65. -A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
  66. # IND solicitation
  67. -A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
  68. # IND advertisement
  69. -A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
  70. # MLD query
  71. -A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
  72. # MLD report
  73. -A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
  74. # MLD done
  75. -A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
  76. # MLD report v2
  77. -A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
  78. # SEND certificate path solicitation
  79. -A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
  80. # SEND certificate path advertisement
  81. -A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
  82. # MR advertisement
  83. -A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  84. # MR solicitation
  85. -A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  86. # MR termination
  87. -A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  88.  
  89. # ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
  90. -A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  91. -A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  92. # codes 0 and 1
  93. -A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  94. # codes 0-2
  95. -A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  96. -A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  97. -A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
  98. -A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
  99. -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
  100. -A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
  101. -A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
  102. # IND solicitation
  103. -A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
  104. # IND advertisement
  105. -A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
  106. # MLD query
  107. -A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
  108. # MLD report
  109. -A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
  110. # MLD done
  111. -A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
  112. # MLD report v2
  113. -A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
  114. # SEND certificate path solicitation
  115. -A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
  116. # SEND certificate path advertisement
  117. -A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
  118. # MR advertisement
  119. -A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  120. # MR solicitation
  121. -A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  122. # MR termination
  123. -A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
  124.  
  125. # ok icmp codes for FORWARD (rfc4890, 4.3.1)
  126. -A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  127. -A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  128. # codes 0 and 1
  129. -A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  130. # codes 0-2
  131. -A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  132. -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  133. -A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
  134. # ok icmp codes for FORWARD (rfc4890, 4.3.2)
  135. # Home Agent Address Discovery Reques
  136. -A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
  137. # Home Agent Address Discovery Reply
  138. -A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
  139. # Mobile Prefix Solicitation
  140. -A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
  141. # Mobile Prefix Advertisement
  142. -A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
  143.  
  144. # allow dhcp client to work
  145. -A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
  146.  
  147. # allow MULTICAST mDNS for service discovery
  148. -A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
  149.  
  150. # allow MULTICAST UPnP for service discovery
  151. -A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
  152.  
  153. # don't delete the 'COMMIT' line or these rules won't be processed
  154. COMMIT
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top