Add rc script to control iptables for ipv6

Issue #122 resolved
Zhang Huangbin
repo owner created an issue

Add rc script to control iptables for ipv6: https://forum.iredmail.org/post60525.html#p60525

Comments (2)

  1. Alexandre Kouznetsov

    Hi.

    This is the output of "netstat -lnp | grep tcp6" on a Debian 9 system, after a iRedMail 0.9.8 installation:

    tcp6       0      0 :::587                  :::*                    LISTEN      2488/master         
    tcp6       0      0 :::110                  :::*                    LISTEN      926/dovecot         
    tcp6       0      0 :::143                  :::*                    LISTEN      926/dovecot         
    tcp6       0      0 :::4949                 :::*                    LISTEN      1140/perl           
    tcp6       0      0 :::22                   :::*                    LISTEN      5488/sshd           
    tcp6       0      0 :::25                   :::*                    LISTEN      2488/master         
    tcp6       0      0 :::1022                 :::*                    LISTEN      5488/sshd           
    tcp6       0      0 :::993                  :::*                    LISTEN      926/dovecot         
    tcp6       0      0 :::5666                 :::*                    LISTEN      773/nrpe            
    tcp6       0      0 :::995                  :::*                    LISTEN      926/dovecot 
    

    Since I do not use ipv6 on this server, and don't want to break anything disabling it, I put this script in /etc/network/if-pre-up.d/firewall6:

    #!/bin/sh
    
    DEFPOLICY="DROP"
    
    echo "Firewall up for IPv6!"
    echo " Adopting $DEFPOLICY policy."
    for chain in INPUT OUTPUT FORWARD; do
      ip6tables -P $chain $DEFPOLICY
    done
    
    echo "  Flushing iptables."
    for table in nat filter mangle raw; do
      ip6tables -F -t $table
      ip6tables -X -t $table
    done
    ip6tables -X #delete user-specified chains
    ip6tables -Z #reset iptables counters
    
    echo " Opening trusted interfaces."
    ip6tables -A INPUT  -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT
    

    I hope this helps as a workaround, to deal with ipv6 wide open by default after iRedMail install.

    Greetings.

  2. Log in to comment