Whole document tree
14.1. Firewalling
14.1.1. Firewalling using netfilter6
Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41.
Attention: no warranty that described rules or examples are really protect your system!
14.1.2. Preparation
14.1.2.1. Get sources
Get the latest kernel source: http://www.kernel.org/
Get the latest iptables package:
Source tarball (for kernel patches): http://www.netfilter.org/
Source RPM for rebuild of binary (for RedHat systems): ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ or perhaps also at http://www.netcore.fi/pekkas/linux/ipv6/
14.1.2.2. Extract sources
Change to source directory:
# cd /path/to/src
|
Unpack and rename kernel sources
# tar z|jxf kernel-version.tar.gz|bz2
# mv linux linux-version-iptables-version+IPv6
|
Unpack iptables sources
# tar z|jxf iptables-version.tar.gz|bz2
|
14.1.2.3. Apply latest iptables/IPv6-related patches to kernel source
Change to iptables directory
# cd iptables-version
|
Apply pending patches
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
|
Apply additional IPv6 related patches (still not in the vanilla kernel included)
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
|
Say yes at following options (iptables-1.2.2)
ah-esp.patch
masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
ipv6-agr.patch.ipv6
ipv6-ports.patch.ipv6
LOG.patch.ipv6
REJECT.patch.ipv6
Check IPv6 extensions
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
|
14.1.2.4. Configure, build and install new kernel
Change to kernel sources
# cd /path/to/src/linux-version-iptables-version/
|
Edit Makefile
- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try
|
Run configure, enable IPv6 related
Code maturity level options
Prompt for development and/or incomplete code/drivers : yes
Networking options
Network packet filtering: yes
The IPv6 protocol: module
IPv6: Netfilter Configuration
IP6 tables support: module
All new options like following:
limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module
REJECT target support: module
LOG target support: module
Packet mangling: module
MARK target support: module
|
Configure other related to your system, too
Compilation and installing: see the kernel section here and other HOWTOs
14.1.2.5. Rebuild and install binaries of iptables
Make sure, that upper kernel source tree is also available at /usr/src/linux/
Rename older directory
# mv /usr/src/linux /usr/src/linux.old
|
Create a new softlink
# ln /path/to/src/linux-version-iptables-version /usr/src/linux
|
Rebuild SRPMS
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
|
Install new iptables packages (iptables + iptables-ipv6)
On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
If not already installed, use "install"
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it
# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them
# ln -s /lib/iptables/ /usr/lib/iptables
|
14.1.3. Usage
14.1.3.1. Check for support
Load module, if so compiled
# modprobe ip6_tables
|
Check for capability
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
¬ 'ip6tables' firewalling (IPv6)!"
|
14.1.3.2. Learn how to use ip6tables
List all IPv6 netfilter entries
Short
# ip6tables -L
|
Extended
# ip6tables -n -v --line-numbers -L
|
List specified filter
# ip6tables -n -v --line-numbers -L INPUT
|
Insert a log rule at the input filter with options
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
¬ --log-level 7
|
Insert a drop rule at the input filter
# ip6tables --table filter --append INPUT -j DROP
|
Delete a rule by number
# ip6tables --table filter --delete INPUT 1
|
Allow ICMPv6, at the moment, with unpatched kernel 2.4.5 and iptables-1.2.2 no type can be specified
Accept incoming ICMPv6 through tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
|
Allow outgoing ICMPv6 through tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
|
Allow incoming SSH, here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
Allow incoming SSH from 3ffe:400:100::1/128
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:400:100::1/128 --sport 512:65535
¬ --dport 22 -j ACCEPT
|
Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:400:100::1/128 --dport 512:65535
¬ --sport 22 ! --syn j ACCEPT
|
Enable tunneled IPv6-in-IPv4, to accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
Accept incoming IPv6-in-IPv4 on interface ppp0
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
|
Allow outgoing IPv6-in-IPv4 to interface ppp0
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
|
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
|
Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
|
Protect against incoming TCP connection requests (VERY RECOMMENDED!), for security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
Block incoming TCP connection requests to this host
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
|
Block incoming TCP connection requests to hosts behind this router
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
|
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
Protect against incoming UDP connection requests (ALSO RECOMMENDED!), like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
Block incoming UDP packets which cannot be responses of outgoing requests of this host
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
|
Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router
ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
|
14.1.3.3. Demonstration example
Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation....
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
¬ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * ::/0
¬ 3ffe:400:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
¬ 3ffe:400:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0
|