#!/bin/sh
# ipv6 firewall config for puttony-ng

IPT6="ip6tables"
CURRENTIP=`cat /usr/local/var/currentip.v6`
LOCALNET_SCOPEGLOBAL="$CURRENTIP/64"
LOCALNET_SCOPELINK="fe80::/64"
GLOBALDEV="ppp1"
LOCALDEV="br0"

# flush
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F &>/dev/null
$IPT6 -t mangle -X &>/dev/null
$IPT6 -t raw -F &>/dev/null
$IPT6 -t raw -X &>/dev/null

# default policies
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP

$IPT6 -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

# localnet allow
$IPT6 -A INPUT -i $LOCALDEV -j ACCEPT
$IPT6 -A OUTPUT -o $LOCALDEV -j ACCEPT

# bittorrent
#$IPT6 -A FORWARD -i $GLOBALDEV -p tcp --dport 6980 -d kloaka -j ACCEPT
#$IPT6 -A FORWARD -i $GLOBALDEV -p udp --dport 6980 -d kloaka -j ACCEPT

# allow full outgoing connections but no incoming connections
$IPT6 -A INPUT -i $GLOBALDEV -p tcp ! --syn -j ACCEPT
$IPT6 -A OUTPUT -o $GLOBALDEV -j ACCEPT
$IPT6 -A FORWARD -i $GLOBALDEV -p tcp ! --syn -j ACCEPT
$IPT6 -A FORWARD -o $GLOBALDEV -j ACCEPT

# icmp passthrough
$IPT6 -A INPUT -i $GLOBALDEV -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $GLOBALDEV -p ipv6-icmp -j ACCEPT
$IPT6 -A FORWARD -i $GLOBALDEV -p ipv6-icmp -j ACCEPT
$IPT6 -A FORWARD -o $GLOBALDEV -p ipv6-icmp -j ACCEPT

# dhcp allow
$IPT6 -I INPUT -i $GLOBALDEV -p udp --sport 546:547 -j ACCEPT
$IPT6 -I OUTPUT -o $GLOBALDEV -p udp --dport 546:547 -j ACCEPT
# www
$IPT6 -A INPUT -i $GLOBALDEV -p tcp --dport 80 -j ACCEPT
$IPT6 -A OUTPUT -o $GLOBALDEV -p tcp --sport 80 -j ACCEPT

echo 'firewallv6: local iptables set.'