From 340bfa5c69544454f7e3831283213851e554d94e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o?= <theo@le-filament.com>
Date: Thu, 19 Jan 2023 17:39:56 +0100
Subject: [PATCH] feat: enable IPv6

---
 templates/ip6tables.conf.j2 | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/templates/ip6tables.conf.j2 b/templates/ip6tables.conf.j2
index bc2d1b3..a608840 100644
--- a/templates/ip6tables.conf.j2
+++ b/templates/ip6tables.conf.j2
@@ -5,13 +5,45 @@
 :OUTPUT DROP [0:0]
 :LOGGING - [0:0]
 ## INPUT chain
+# Ne pas casser les connexions etablies
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Autoriser loopback
 -A INPUT -i lo -j ACCEPT
+# Autoriser les paquets ICMP v6
+-A INPUT -p ipv6-icmp -j ACCEPT
+# Autoriser le DHCPv6 sur le lien local uniquement
+-A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT
+# SSH
+-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
 # Log incoming traffic blocked by IPTables
 -A INPUT -j LOGGING
 ## OUTPUT chain
+# Ne pas casser les connexions etablies
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Autoriser loopback
 -A OUTPUT -o lo -j ACCEPT
+# Accept all ICMP v6 packets
+-A OUTPUT -p ipv6-icmp -j ACCEPT
+# SSH
+-A OUTPUT -p tcp -m tcp --dport 2222 -j ACCEPT
+# WEB
+-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+# DNS
+-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+# NTP Out
+-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+# SMTP Postfix
+-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
+# WhoIs
+-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
+# DHCPv6
+-A OUTPUT -p udp -m udp -s fe80::/10 --dport 547 -j ACCEPT
+# GPG
+-A OUTPUT -p udp -m udp --dport 11371 -j ACCEPT
 # Log outgoing traffic blocked by IPTables
 -A OUTPUT -j LOGGING
 ## LOGGING chain
-- 
GitLab