14.1. Firewalling

14.1.1. Firewalling using netfilter6

Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41.

Attention: no warranty that described rules or examples are really protect your system!

14.1.2. Preparation

14.1.2.1. Get sources

Get the latest kernel source: http://www.kernel.org/

Get the latest iptables package:

14.1.2.2. Extract sources

Change to source directory:

# cd /path/to/src 
    

Unpack and rename kernel sources

# tar z|jxf kernel-version.tar.gz|bz2 
# mv linux linux-version-iptables-version+IPv6 
    

Unpack iptables sources

# tar z|jxf iptables-version.tar.gz|bz2 
    

14.1.2.3. Apply latest iptables/IPv6-related patches to kernel source

Change to iptables directory

# cd iptables-version 
    

Apply pending patches

# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 
    

Apply additional IPv6 related patches (still not in the vanilla kernel included)

# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/ 
    

Say yes at following options (iptables-1.2.2)

  • ah-esp.patch

  • masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)

  • ipv6-agr.patch.ipv6

  • ipv6-ports.patch.ipv6

  • LOG.patch.ipv6

  • REJECT.patch.ipv6

Check IPv6 extensions

# make print-extensions 
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
    

14.1.2.4. Configure, build and install new kernel

Change to kernel sources

# cd /path/to/src/linux-version-iptables-version/ 
    

Edit Makefile

- EXTRAVERSION = 
+ EXTRAVERSION = -iptables-version+IPv6-try 
    

Run configure, enable IPv6 related

            Code maturity level options 
                  Prompt for development and/or incomplete code/drivers : yes 
            Networking options 
                  Network packet filtering: yes 
                  The IPv6 protocol: module 
                       IPv6: Netfilter Configuration 
                             IP6 tables support: module 
                             All new options like following: 
                                   limit match support: module 
                                   MAC address match support: module 
                                   Multiple port match support: module 
                                   Owner match support: module 
                                   netfilter MARK match support: module 
                                   Aggregated address check: module 
                                   Packet filtering: module 
                                        REJECT target support: module 
                                        LOG target support: module 
                                   Packet mangling: module 
                                   MARK target support: module 
    

Configure other related to your system, too

Compilation and installing: see the kernel section here and other HOWTOs

14.1.2.5. Rebuild and install binaries of iptables

Make sure, that upper kernel source tree is also available at /usr/src/linux/

Rename older directory

# mv /usr/src/linux /usr/src/linux.old 
    

Create a new softlink

# ln /path/to/src/linux-version-iptables-version /usr/src/linux 
    

Rebuild SRPMS

# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm 
    

Install new iptables packages (iptables + iptables-ipv6)

  • On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"

# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 
    

  • If not already installed, use "install"

# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 
    

  • On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it

# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm 
    

Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them

# ln -s /lib/iptables/ /usr/lib/iptables 
    

14.1.3. Usage

14.1.3.1. Check for support

Load module, if so compiled

# modprobe ip6_tables 
    

Check for capability

# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
¬ 'ip6tables' firewalling (IPv6)!" 
    

14.1.3.2. Learn how to use ip6tables

List all IPv6 netfilter entries

  • Short

# ip6tables -L 
    

  • Extended

# ip6tables -n -v --line-numbers -L 
    

List specified filter

# ip6tables -n -v --line-numbers -L INPUT 
    

Insert a log rule at the input filter with options

# ip6tables --table filter --append INPUT  -j LOG --log-prefix "INPUT:"
¬ --log-level 7 
    

Insert a drop rule at the input filter

# ip6tables --table filter --append INPUT  -j DROP 
    

Delete a rule by number

# ip6tables --table filter --delete INPUT 1 
    

Allow ICMPv6, at the moment, with unpatched kernel 2.4.5 and iptables-1.2.2 no type can be specified

  • Accept incoming ICMPv6 through tunnels

# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT 
    

  • Allow outgoing ICMPv6 through tunnels

# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT 
    

Allow incoming SSH, here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address

  • Allow incoming SSH from 3ffe:400:100::1/128

# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:400:100::1/128 --sport 512:65535
¬ --dport 22 -j ACCEPT 
    

  • Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented)

# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:400:100::1/128 --dport 512:65535
¬ --sport 22 ! --syn j ACCEPT 
    

Enable tunneled IPv6-in-IPv4, to accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example

  • Accept incoming IPv6-in-IPv4 on interface ppp0

# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT 
    

  • Allow outgoing IPv6-in-IPv4 to interface ppp0

# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT 
    

If you have only a static tunnel, you can specify the IPv4 addresses, too, like

  • Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4

# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT 
    

  • Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4

# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT 
    

Protect against incoming TCP connection requests (VERY RECOMMENDED!), for security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!

  • Block incoming TCP connection requests to this host

# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP 
    

  • Block incoming TCP connection requests to hosts behind this router

# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP 
    

Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.

Protect against incoming UDP connection requests (ALSO RECOMMENDED!), like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:

  • Block incoming UDP packets which cannot be responses of outgoing requests of this host

# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP 
    

  • Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router

ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP 
    

14.1.3.3. Demonstration example

Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation....

# ip6tables -n -v -L 
Chain INPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
    0     0 extIN      all      sit+   *       ::/0                 ::/0 
    4   384 intIN      all      eth0   *       ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `INPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 int2ext    all      eth0   sit+    ::/0                 ::/0 
    0     0 ext2int    all      sit+   eth0    ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `FORWARD-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain OUTPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 extOUT     all      *      sit+    ::/0                 ::/0 
    4   384 intOUT     all      *      eth0    ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `OUTPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain ext2int (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `ext2int-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::1/128  ::/0       
¬        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::2/128  ::/0       
¬        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
¬        udp spts:1:65535 dpts:1024:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     tcp      *      *       ::/0                
¬ 3ffe:400:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     tcp      *      *       ::/0                
¬ 3ffe:400:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1024:65535 dpts:1:65535 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
¬        udp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `extOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain int2ext (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `int2ext:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `int2ext-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain intIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     all      *      *       ::/0                
¬ fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
 
Chain intOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     all      *      *       ::/0                
¬ fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `intOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0