====== Shorewall mono interface ======

<code bash>
apt-get install shorewall ulogd
  
cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall
cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf_
cp -a /etc/shorewall/interfaces /etc/shorewall/interfaces.conf_
cp -a /etc/shorewall/policy /etc/shorewall/policy_
cp -a /etc/shorewall/params /etc/shorewall/params_
sed -i "s/info\$/\\\$LOG/g" /etc/shorewall/policy
sed -i "s/LOGFILE=\/var\/log\/messages/LOGFILE=\/var\/log\/ulog\/syslogemu.log/g" /etc/shorewall/shorewall.conf
sed -i "s/DISABLE_IPV6=No/DISABLE_IPV6=Yes/g" /etc/shorewall/shorewall.conf
sed -i "s/#LAST LINE -- DO NOT REMOVE/LOG=ULOG\n\n#LAST LINE -- DO NOT REMOVE/g" /etc/shorewall/params
cat << 'EOF' >> /etc/shorewall/rules
# SSH port 22000
ACCEPT:$LOG          net             fw              tcp     22000
EOF
sed -i "s/startup=0/startup=1/g" /etc/default/shorewall

vi /etc/shorewall/shorewall.conf # verifier options
</code>

**/!!!!\**

<code bash>
vi /etc/shorewall/interfaces # verifier options : notemment DHCP /!\ OVH : venet0 et non eth0 !
</code>
**/!!!!\**

<code bash>
vi /etc/shorewall/policy # verifier comportement de base
</code>
===== Si pas de désactivation IPv6 =====

<code bash>
/etc/init.d/shorewall stop
/etc/init.d/shorewall start
</code>

**Attention :** IPV6 désactivé :

===== Désactiver les écoutes en ipv6 =====

==== Si bind ====

<code bash>
cp -a /etc/default/bind9 /etc/default/bind9_
sed -i "s/RESOLVCONF=no/RESOLVCONF=yes/g" /etc/default/bind9
sed -i "s/OPTIONS=\"-u bind\"/OPTIONS=\"-4 -u bind\"/g" /etc/default/bind9
/etc/init.d/bind9 stop
/etc/init.d/bind9 start
rndc flush
</code>

==== Si ssh ====

<code bash>
cp -a /etc/default/ssh /etc/default/ssh_
sed -i "s/SSHD_OPTS=/SSHD_OPTS=-4/g" /etc/default/ssh
/etc/init.d/ssh stop
/etc/init.d/ssh start
</code>

==== Dans tous les cas, desactivation au niveau noyau et reboot ====

<code bash>
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
reboot
</code>

===== PVE : ne fonctionne pas sous proxmox VE, faire =====

<code bash>
cat << 'EOF' >> /opt/firewall_ipv6_drop_all.sh
#!/bin/sh
  
IPT6="/sbin/ip6tables"
  
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
  
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
  
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
EOF
chmod 750 /opt/firewall_ipv6_drop_all.sh
vi /etc/rc.local # ajouter : /opt/firewall_ipv6_drop_all.sh
</code>

Test :
<code bash>
apt-get update
</code>