Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions

  




 

 

17.3. Usage

17.3.1. Check for support

Load module, if so compiled

# modprobe ip6_tables 

Check for capability

# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
� 'ip6tables' firewalling (IPv6)!" 

17.3.2. Learn how to use ip6tables

17.3.2.1. List all IPv6 netfilter entries

  • Short

# ip6tables -L 

  • Extended

# ip6tables -n -v --line-numbers -L 

17.3.2.2. List specified filter

# ip6tables -n -v --line-numbers -L INPUT 

17.3.2.3. Insert a log rule at the input filter with options

# ip6tables --table filter --append INPUT  -j LOG --log-prefix "INPUT:"
� --log-level 7 

17.3.2.4. Insert a drop rule at the input filter

# ip6tables --table filter --append INPUT  -j DROP 

17.3.2.5. Delete a rule by number

# ip6tables --table filter --delete INPUT 1 

17.3.2.6. Allow ICMPv6

Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified

  • Accept incoming ICMPv6 through tunnels

# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT 

  • Allow outgoing ICMPv6 through tunnels

# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT 

Newer kernels allow specifying of ICMPv6 types:

# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

17.3.2.7. Rate-limiting

Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:

# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request
� -j ACCEPT --match limit --limit 30/minute

17.3.2.8. Allow incoming SSH

Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address

  • Allow incoming SSH from 2001:0db8:100::1/128

# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535
� --dport 22 -j ACCEPT 

  • Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented)

# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535
� --sport 22 ! --syn j ACCEPT 

17.3.2.9. Enable tunneled IPv6-in-IPv4

To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example

  • Accept incoming IPv6-in-IPv4 on interface ppp0

# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT 

  • Allow outgoing IPv6-in-IPv4 to interface ppp0

# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT 

If you have only a static tunnel, you can specify the IPv4 addresses, too, like

  • Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4

# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT 

  • Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4

# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT 

17.3.2.10. Protection against incoming TCP connection requests

VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!

  • Block incoming TCP connection requests to this host

# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP 

  • Block incoming TCP connection requests to hosts behind this router

# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP 

Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.

17.3.2.11. Protection against incoming UDP connection requests

ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:

  • Block incoming UDP packets which cannot be responses of outgoing requests of this host

# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP 

  • Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router

# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP 

17.3.3. Demonstration example

Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation....

# ip6tables -n -v -L 
Chain INPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
    0     0 extIN      all      sit+   *       ::/0                 ::/0 
    4   384 intIN      all      eth0   *       ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `INPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 int2ext    all      eth0   sit+    ::/0                 ::/0 
    0     0 ext2int    all      sit+   eth0    ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `FORWARD-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain OUTPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 extOUT     all      *      sit+    ::/0                 ::/0 
    4   384 intOUT     all      *      eth0    ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `OUTPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain ext2int (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
�        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `ext2int-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::1/128  ::/0       
�        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::2/128  ::/0       
�        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
�        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
�        udp spts:1:65535 dpts:1024:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     tcp      *      *       ::/0                
� 2001:0db8:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     tcp      *      *       ::/0                
� 2001:0db8:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
�        tcp spts:1024:65535 dpts:1:65535 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
�        udp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `extOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain int2ext (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
�        tcp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `int2ext:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `int2ext-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain intIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     all      *      *       ::/0                
� fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
 
Chain intOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
� 
    0     0 ACCEPT     all      *      *       ::/0                
� fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
    0     0 LOG        all      *      *       ::/0                 ::/0       
�        LOG flags 0 level 7 prefix `intOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 

 
 
  Published under the terms of the GNU General Public License Design by Interspire