Community discussions

MikroTik App
  4. RouterOS
  5. General

ipv6 firewall for comcast bridging with static public ips

Post Reply
 
lgkahn
newbie
Topic Author
Posts: 28
Joined: Fri Mar 06, 2015 12:11 am

ipv6 firewall for comcast bridging with static public ips

Thu Feb 23, 2017 12:27 am

Since I could not fimd a good example of this configuration with an advance firewall for ipv6 for comast (in bridging mode since the default gateway is on the same subnet as your range of ips)

anyway here is my firewall that I have is confirmed and tested as working..

Note the ips have been changed.

all I did was assign static ips to my servers on my net (ipv6) ips. In order to get the windows servers to use them rather than the random generate one by default I had to run the following and reboot. You also need to make sure to turn off the default ipv6 firewall in the comcast modem before testing.


netsh interface ipv6 set global randomizeidentifiers=disabled

netsh interface ipv6 set privacy state=disabled


I also assigned a static ipv6 ip in my router after enabling ipv6 and rebooting.


nothing else was necessary.. .

so without further adoo here is the firewall

/put "bringing up ipv6 firewall at "
/put [/system clock get date]

put "cleaning out old ip v6 address lists"
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=Whitelist]
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=Blacklist]
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=OtherSubnetIPs]
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=Foreign]
/ipv6 firewall address-list remove [/ipv6 firewall address-list find list=wifi_routers]

/put "Starting ip v6 Address lists"
/put "Whitelist"
/ipv6 firewall address-list
add address=2603:ffff:xxxx:yyyy::/64 comment="lgk.com subnet" disabled=no list=Whitelist
add address=2603:ffff:xxxx:xxxx::/64 comment="icentrix subnet" disabled=no list=Whitelist
add address=::1/128 comment="localhost" disabled=no list=Whitelist
add address=fe80::/64 comment="private net" disabled=no list=Whitelist
add address=2001:558:FEED::1 comment="comcast dns1" disabled=no list=Whitelist
add address=2001:558:FEED::2 comment="comcast dns2" disabled=no list=Whitelist
!
/put "wifi routers"
add address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:01ff comment="portal" disabled=no list=wifi_routers
add address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:01ee comment="wifi" disabled=no list=wifi_routers

/put "cleaning out input chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=input]

/put "cleaning out output chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=output]

/put "cleaning out forward chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=forward]

/put "cleaning out udp_packets_bridge chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=udp_packets_bridge]

/put "cleaning out icmp_packets_bridge chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=icmp_packets_bridge]

/put "cleaning out SYN-Protect chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=SYN-Protect]

/put "cleaning out icmp chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=ICMP]

/put "cleaning out services chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=services]

/put "Starting new rules"
/ipv6 firewall filter

/put "input rules to protect firewall itself"
/ipv6 firewall filter

/put "input established connections"

add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no
add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no
add chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no

/put "input whitelist"
# This rule is the rule that allows full access to the router for certain IP addresses,
# This list contains static entries for IP’s you want to always have access and also contains the dynamic IP’s of those added by port knocking if used
add chain=input src-address-list=Whitelist action=accept comment="Allow access to router from known network" disabled=no

/put "allowing multicast on router"
add chain=input action=accept protocol=tcp dst-address=ff00::/8

/put "Blacklist"
add chain=input action=drop src-address-list=Blacklist comment="Block Blacklist"

/put "Foreign"
add chain=input action=drop src-address-list=Foreign comment="Block foreign ips"

#/put "input dos attach add to Blacklist"
# These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is
# ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device
#no psd option in ipv6
#add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no

# lgk rule below does nothing as blacklist is already totaly blocked
# add chain=input protocol=tcp connection-limit=3,32 src-address-list=Blacklist action=tarpit comment="suppress DoS attack" disabled=no
add chain=input protocol=tcp connection-limit=20,32 action=add-src-to-address-list address-list=Blacklist address-list-timeout=1d comment="detect DoS attack" disabled=no

/put "add dns spammers to list"
add chain=input protocol=udp dst-port=53 action=drop comment="drop dns on router"

/put "input jump rules"
# These 2 rules jump to chains we are about to create,
# jumping is handy because it allows you to reuse the same rule in different chains (I.e. Input and Forward can jump to the same chain and run the same rules)
add chain=input protocol=icmpv6 action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no

/put "drop rest on input"
# And this is the rule that deny’s all access to the router, if traffic hasn’t been accepted by once of the rules above then it will be dropped
add chain=input action=drop comment="drop everything else" disabled=no
#add chain=input action=log log-prefix="Filter:" comment="" disabled=no

/put "router icmp chains"
# These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you

add chain=ICMP protocol=icmpv6 icmp-options=129:0-255 limit=5,5:packet action=accept comment="129:0 and limit echo reply for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=1:0 limit=5,5:packet action=accept comment="1:0 host/addr. unrech. limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=1:3-4 limit=5,5:packet action=accept comment="1:3,4 host/port unrech. and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=128:0-255 limit=5,5:packet action=accept comment="128:0 echo request limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=3:0-255 limit=5,5:packet action=accept comment="3:0 time exceeded limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 action=drop comment="Drop everything else" disabled=no

/put "router service chains"

add chain=services src-address=::1/128 dst-address=::1/128 action=accept comment="accept localhost" disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=no
add chain=services protocol=udp dst-port=5678 action=accept comment="MT Discovery Protocol" disabled=no
add chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" disabled=no
add chain=services protocol=tcp dst-port=1723 action=accept comment="Allow PPTP" disabled=no
add chain=services protocol=udp dst-port=123 action=accept comment="Allow NTP" disabled=no
add chain=services protocol=tcp dst-port=53 action=drop comment="block DNS request" disabled=no
add chain=services protocol=udp dst-port=53 action=drop comment="block DNS request" disabled=no

add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=yes
add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment="allow BGP" disabled=yes
add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yes
add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" disabled=yes
add chain=services protocol=ipencap action=accept comment="allow IPIP" disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment="allow https for Hotspot" disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for Hotspot" disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec connections" disabled=yes
add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" disabled=yes
add chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yes
add chain=services action=return comment="" disabled=no

/put "normal output and forward rules start here"
add chain=output action=accept

/put "allow port 1723 and gre open for vpn"
add chain=forward action=accept protocol=tcp dst-port=1723
add chain=forward action=accept protocol=gre

/put "block other ips on our subnet"
add chain=forward action=drop src-address-list=OtherSubnetIPs

/put "our trusted subnets"
add chain=forward action=accept src-address-list=Whitelist comment="Whitelist"

/put "Blacklist"
add chain=forward action=drop src-address-list=Blacklist comment="Block Blacklist"

/put "Foreign"
add chain=forward action=drop src-address-list=Foreign comment="Block Foreign IPs"

/put "established connection rule"
add chain=forward action=accept connection-state=established comment="established"
add chain=forward action=accept connection-state=related comment="related"

/put "allowing mail rules"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=25
add chain=forward action=accept protocol=tcp src-port=25 dst-port=1024-65535

/put "allow web rules"
add chain=forward action=accept protocol=tcp dst-port=80
add chain=forward action=accept protocol=tcp src-port=80 dst-port=1023-65535
add chain=forward action=accept protocol=tcp src-port=443 dst-port=1023-65535

/put "allowing dns rules"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=53
add chain=forward action=accept protocol=udp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=53
add chain=forward action=accept protocol=udp src-port=53 dst-port=1024-65535

/put "allowing mail rules"
add chain=forward action=accept protocol=tcp dst-port=9080
add chain=forward action=accept protocol=tcp src-port=9080 dst-port=1024-65535

/put "allow time setting"
add chain=forward action=accept protocol=udp dst-address=2603:ffff:xxxx:yyyy::/64 src-port=123
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy::/64 src-port=123

/put "allow multicast from our net"
add chain=forward action=accept protocol=tcp dst-address=ff00::/8

#/put "allow linux update site dont know ip v6 update so comment out"
#add chain=forward action=accept src-address=137.226.34.227/32 dst-address=2603:ffff:xxxx:yyyy::/64

/put "port 113 file sharing rule to local subnet"
add chain=forward action=accept protocol=tcp src-address-list=Whitelist dst-port=113

/put "netbios local subnet"
add chain=forward action=accept protocol=tcp src-address-list=Whitelist src-port=445 dst-port=1023-65535

#disallow netbios except local network
/put "disallowing netbios port 139"
add chain=forward action=drop protocol=tcp dst-address=2603:ffff:xxxx:yyyy::/64 dst-port=139
add chain=forward action=drop protocol=tcp src-address=2603:ffff:xxxx:yyyy::/64 src-port=139

/put "Callcentric (dont know callcentric ip v6 ips so comment out"
#add chain=forward action=accept src-address=204.11.192.0/24
#add chain=forward action=accept src-address=66.193.176.0/24
#add chain=forward action=accept src-address=198.65.166.131/32

/put "imail imap access"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=143
add chain=forward action=accept protocol=tcp src-port=143 dst-port=1023-65535

/put "pop3 mail access"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=110
add chain=forward action=accept protocol=tcp src-port=110 dst-port=1023-65535

/put "ftp access"
add chain=forward action=accept protocol=tcp src-port=21 dst-port=1023-65535
add chain=forward action=accept protocol=tcp src-port=20 dst-port=1023-65535

/put "world access to public ftp"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=21
# allow data sockets coming back
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port=20

/put "web calendar support"
add chain=forward action=accept protocol=tcp dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:xx77 dst-port 8484
add chain=forward action=accept protocol=tcp src-port=8484 dst-port=1023-65535

# ICMP rules
/put "doing icmp rules"
add chain=forward protocol=icmpv6 action=jump jump-target=icmp_packets_bridge
add chain=icmp_packets_bridge action=accept protocol=icmpv6 src-address=2603:ffff:xxxx:yyyy::/64
add chain=icmp_packets_bridge action=drop protocol=icmpv6 icmp-options=128:0 dst-address=2603:ffff:xxxx:yyyy:xx73:5555:07ff:0113 comment="no pinging our firewall box"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:0 comment="net unreachable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:3 comment="host/address unreachable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:4 comment="port unreacheable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=2:0 comment="packet too big"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=3:0-1 comment="allow limit exceeded"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=11:0-1 comment="allow time exceed"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=128:0 comment="allow echo request"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=129:0 comment="echo reply"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=135:0 comment="neighbor solicitation"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=136:0 comment="neighbor advertisement"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=137:0 comment="allow redirect"
#add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=4:0-2 comment="allow parameter bad"
add chain=icmp_packets_bridge action=drop comment="deny all other types"


# UDP ports
/put "doing udp rules"
add chain=forward protocol=icmpv6 action=jump jump-target=udp_packets_bridge
#dns
add chain=udp_packets_bridge action=accept protocol=udp src-port=53
#ntp
add chain=udp_packets_bridge action=accept protocol=udp src-port=123
add chain=udp_packets_bridge action=accept protocol=udp src-address=2603:ffff:xxxx:yyyy::/64


/put "disallowing syn floods"
add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5:packet connection-state=new action=accept comment="" disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no

# drop all else
add action=drop chain=forward comment="drop all else"
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], whernandez and 92 guests
  4. RouterOS
  5. General