Start | Previous | Next

IPv6 & Linux - HowTo - Part 8

Version: 3.20c from 2001-09-22

(P) & (C) 2001 by Peter Bieringer <pb@bieringer.de>, see copyright notice for more details
Original site of publishing: http://www.bieringer.de/linux/IPv6/; suggestions, comments and improvements are welcome!

Firewalling

Firewalling using netfilter6

Firewalling using netfilter6

Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41.

Attention: no warranty that described rules or examples are really protect your system!

URLs

Main: http://netfilter.filewatcher.org/
Maillist archive:

Users: http://lists.samba.org/pipermail/netfilter/
Developers: http://lists.samba.org/pipermail/netfilter-devel/

Unofficial status informations: status/IPv6+Linux-status-kernel.html#netfilter6

Preparation

Step 1: Get sources

Get the latest kernel source (2.4.5 as written this page): http://www.kernel.org/
Get the latest iptables package (1.2.2. as written this page):

Source tarball (for kernel patches): http://netfilter.filewatcher.org/
Source RPM for rebuild of binary (for RedHat systems):

Step 2: Extract sources

Change to source directory

cd /path/to/src

Unpack and rename kernel sources

tar z|jxf kernel-version.tar.gz|bz2
mv linux linux-version-iptables-version+IPv6

Unpack iptables sources

tar z|jxf iptables-version.tar.gz|bz2

Step 3: Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

cd iptables-version

Apply pending patches

make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/

Apply additional IPv6 related patches (still not in the vanilla kernel included)

make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Say yes at following options (iptables-1.2.2)

ah-esp.patch
masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
ipv6-agr.patch.ipv6
ipv6-ports.patch.ipv6
LOG.patch.ipv6
REJECT.patch.ipv6

Check IPv6 extensions

make print-extensions

Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport

Step 4: Configure, build and install new kernel

Change to kernel sources

cd /path/to/src/linux-version-iptables-version/

Edit Makefile

- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try

Run configure, enable IPv6 related

Code maturity level options

Prompt for development and/or incomplete code/drivers : yes

Networking options

Network packet filtering: yes
The IPv6 protocol: module

IPv6: Netfilter Configuration

IP6 tables support: module
All new options like following:

limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module

REJECT target support: module
LOG target support: module

Packet mangling: module
MARK target support: module

Configure other related to your system, too
Compilation and installing: see the kernel section here and other HowTos

Step 5: Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

mv /usr/src/linux /usr/src/linux.old

Create a new softlink

ln /path/to/src/linux-version-iptables-version /usr/src/linux

Rebuild SRPMS

rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm

Install new iptables packages (iptables + iptables-ipv6)

On RH 7.1 systems

Normally, already an older version is installed, therefore use "freshen"

rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

If not already installed, use "install"

rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

On RH 6.2 systems

Normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it

rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

Perhaps it's necessary to create a softlink for iptables libaries where iptables looks for them

ln -s /lib/iptables/ /usr/lib/iptables

Usage

Check for support

Load module, if so compiled

modprobe ip6_tables

Check for capability

if [ ! -f /proc/net/ip6_tables_names ]; then

echo "Current kernel doesn't support 'ip6tables' firewalling (IPv6)!"

exit 1

fi

Learn to use ip6tables

List all IPv6 netfilter entries

Short

ip6tables -L

Extended

ip6tables -n -v --line-numbers -L

List specified filter

ip6tables -n -v --line-numbers -L INPUT

Insert a log rule at the input filter with options

ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" --log-level 7

Insert a drop rule at the input filter

ip6tables --table filter --append INPUT -j DROP

Delete a rule by number

ip6tables --table filter --delete INPUT 1

Allow ICMPv6

At the moment, with unpatched kernel 2.4.5 and iptables-1.2.2 no type can be specified

Accept incoming ICMPv6 through tunnels

ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT

Allow outgoing ICMPv6 through tunnels

ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT

Allow incoming SSH

Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address

Allow incoming SSH from 3ffe:400:100::1/128

ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:400:100::1/128 --sport 512:65535 --dport 22 -j ACCEPT

Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented)

ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:400:100::1/128 --dport 512:65535 --sport 22 ! --syn j ACCEPT

Enable tunneled IPv6-in-IPv4

To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example

Accept incoming IPv6-in-IPv4 on interface ppp0

iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT

Allow outgoing IPv6-in-IPv4 to interface ppp0

iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT

If you have only a static tunnel, you can specify the IPv4 addresses, too, like

Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4

iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT

Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4

iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT

Protect against incoming TCP connection requests (VERY RECOMMENDED!)

For security issues you should really insert a rule which blocks incoming TCP connection requests.
Adapt "-i" option, if other interface names are in use!

Block incoming TCP connection requests to this host

ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP

Block incoming TCP connection requests to hosts behind this router

ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP

Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.

Protect against incoming UDP connection requests (ALSO RECOMMENDED!)

Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions.
So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:

Block incoming UDP packets which cannot be responses of outgoing requests of this host

ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP

Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router

ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP

Demonstration example

Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation....

# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 extIN      all      sit+   *       ::/0                 ::/0
    4   384 intIN      all      eth0   *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `INPUT-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 int2ext    all      eth0   sit+    ::/0                 ::/0
    0     0 ext2int    all      sit+   eth0    ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `FORWARD-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 extOUT     all      *      sit+    ::/0                 ::/0
    4   384 intOUT     all      *      eth0    ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `OUTPUT-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain ext2int (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0               tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `ext2int-default:'
    0     0 DROP       tcp      *      *       ::/0                 ::/0
    0     0 DROP       udp      *      *       ::/0                 ::/0
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain extIN (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::1/128 ::/0               tcp spts:512:65535 dpt:22
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::2/128 ::/0               tcp spts:512:65535 dpt:22
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0               tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0               udp spts:1:65535 dpts:1024:65535
    0     0 LOG        all      *      *       ::/0                 ::/0               limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain extOUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      *      *       ::/0                 3ffe:400:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
    0     0 ACCEPT     tcp      *      *       ::/0                 3ffe:400:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0               tcp spts:1024:65535 dpts:1:65535
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0               udp spts:1024:65535 dpts:1:65535
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `extOUT-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain int2ext (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0               tcp spts:1024:65535 dpts:1:65535
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `int2ext:'
    0     0 DROP       all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `int2ext-default:'
    0     0 DROP       tcp      *      *       ::/0                 ::/0
    0     0 DROP       udp      *      *       ::/0                 ::/0
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain intIN (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 fe80::/ffc0::
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16

Chain intOUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 fe80::/ffc0::
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16
    0     0 LOG        all      *      *       ::/0                 ::/0               LOG flags 0 level 7 prefix `intOUT-default:'
    0     0 DROP       all      *      *       ::/0                 ::/0