Conditionals in IPv6 includes

2021-09-06 14:03:44 +02:00 · 2021-09-06 14:03:44 +02:00 · 08182dd606
parent ef18fccc96
commit 08182dd606
5 changed files with 20 additions and 10 deletions
--- a/minifirewall.d/default-input-v6
+++ b/minifirewall.d/default-input-v6
@ -1,7 +1,9 @@
 # shellcheck shell=sh disable=SC2034
 # allow input HTTP/HTTPS/SMTP/DNS traffic
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+if [ "${IPV6}" != "off" ]; then
+    /sbin/ip6tables -A INPUT -i ${INT} -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
+    /sbin/ip6tables -A INPUT -i ${INT} -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
+    /sbin/ip6tables -A INPUT -i ${INT} -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
+    /sbin/ip6tables -A INPUT -i ${INT} -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+    /sbin/ip6tables -A INPUT -i ${INT} -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
+fi
--- a/minifirewall.d/dhcp-v6.example
+++ b/minifirewall.d/dhcp-v6.example
@ -1,4 +1,6 @@
 # shellcheck shell=sh disable=SC2034
 # allow DHCPv6
-/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
-/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
+if [ "${IPV6}" != "off" ]; then
+    /sbin/ip6tables -A INPUT -i ${INT}  -p udp --dport 546 -d fe80::/64 -j ACCEPT
+    /sbin/ip6tables -A OUTPUT -o ${INT}  -p udp --dport 547 -j ACCEPT
+fi
--- a/minifirewall.d/dns-output-v6
+++ b/minifirewall.d/dns-output-v6
@ -1,3 +1,5 @@
 # shellcheck shell=sh disable=SC2034
 # allow DNS output
-/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
+if [ "${IPV6}" != "off" ]; then
+    /sbin/ip6tables -A OUTPUT -o ${INT}  -p udp --dport 53 --match state --state NEW -j ACCEPT
+fi
--- a/minifirewall.d/ntp-output-v6
+++ b/minifirewall.d/ntp-output-v6
@ -1,3 +1,5 @@
 # shellcheck shell=sh disable=SC2034
 # allow NTP output
-/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
+if [ "${IPV6}" != "off" ]; then
+    /sbin/ip6tables -A OUTPUT -o ${INT}  -p udp --dport 123 --match state --state NEW -j ACCEPT
+fi
--- a/minifirewall.d/traceroute-output-v6.example
+++ b/minifirewall.d/traceroute-output-v6.example
@ -1,3 +1,5 @@
 # shellcheck shell=sh disable=SC2034
 # allow traceroute output
-#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
+if [ "${IPV6}" != "off" ]; then
+    /sbin/ip6tables -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
+fi