# Firewall minimal configuration
# Use it as example and starting point
*filter
:INPUT		ACCEPT	[0:0]
:FORWARD	ACCEPT	[0:0]
:OUTPUT		ACCEPT	[0:0]
:std		-	[0:0]
:good		-	[0:0]
#--------------------------------------------------------------
#NFLOG need ulogd daemon to report dropped/rejected packets
#Defining a log drop rule
-N logdrop
-A logdrop	-j NFLOG	--nflog-prefix "IPV6 DROP "
-A logdrop	-j DROP
#Defining a log reject rule
-N logrjct
-A logrjct	-j NFLOG	--nflog-prefix "IPV6 RJCT "
-A logrjct	-j REJECT	--reject-with icmp6-adm-prohibited
#--------------------------------------------------------------
#accepting local loop
-A INPUT	-j ACCEPT	-i lo
#--------------------------------------------------------------
#Merge INCOMING(server/station) and FORWARD (router) Packet handling
#--------------------------------------------------------------
-A FORWARD	-j std
-A INPUT	-j std
#--------------------------------------------------------------
#Accepting incoming packet for established connexion
-A std	-j ACCEPT	-m state --state ESTABLISHED,RELATED
#--------------------------------------------------------------
#managing icmp6
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type Packet-Too-Big
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type echo-reply
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type destination-unreachable
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type echo-request
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type time-exceeded
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type parameter-problem
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type neighbor-solicitation
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type neighbor-advertisement
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type router-advertisement
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type 130
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type 133
-A std	-j ACCEPT	-p icmpv6 --icmpv6-type 143
-A std	-j logdrop	-p icmpv6
#--------------------------------------------------------------
#accept only request from the good local network
#information extracted from current network setup 
-A std	-j good 	-s fc00::0/48
-A std	-j good		-s fe80::0/48
#Rejecting all other ungood packet
-A std	-j logrjct
#--------------------------------------------------------------
#accepting few services from good origin
#service ssh (remote consols access)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport ssh
#imap and pop (email reading)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport pop3
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport imap
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport pop3s
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport imaps
#access web
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport http
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport https
#SMTP (email sending)
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport smtp
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport submission
-A good	-j ACCEPT	-m state --state NEW	-p tcp	--dport submissions
#Printing protocol channel
-A good	-j ACCEPT	-m state --state NEW	-p udp	--dport ipp
#routing information (ripngd)
-A good	-j ACCEPT	-m udp			-p udp	--dport ripng
#clock information (ntp)
-A good	-j ACCEPT	-m udp			-p udp 	--dport ntp
#allowing SNMP probing
-A good	-j ACCEPT	-m udp			-p udp 	--dport snmp
#--------------------------------------------------------------
#gestion dhcp6
-A good	-j ACCEPT	-p udp 		   -d ff02::fb	--dport mdns
-A good	-j ACCEPT	-p udp -s fe80::/10 		--dport dhcpv6-client
-A good	-j ACCEPT	-p udp -s fe80::/10 		--dport dhcpv6-server
#--------------------------------------------------------------
#Rejecting all others
-A good	-j logrjct
#--------------------------------------------------------------
#Commiting new rules
COMMIT
#==============================================================
*raw
:PREROUTING	ACCEPT	[0:0]
:OUTPUT		ACCEPT	[0:0]
:std		-	[0:0]
#--------------------------------------------------------------
-A PREROUTING	-j std
-A OUTPUT	-j std
#--------------------------------------------------------------
#To keeep track of ftp connection
-A std	-j CT	-p tcp --dport ftp --helper ftp
#--------------------------------------------------------------
#Commiting raw rules
COMMIT
