zeldor.biz

Linux, programming and more

Copyright © 2025
Log in

IPv6 and ip6tables

July 24, 2010 by Igor Drobot 3 Comments

I describe a little bit how to secure your IPv6 server with Netfilter-ip6tables.

Refer to the IANA message types.

My example IPv6 firewall script:

Earlier predefined variables:

1
2
IPT6="/sbin/ip6tables"
OUTER="eth0"

IPT6="/sbin/ip6tables" OUTER="eth0"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Clean old IPv6 firewall
$IPT6 -F
$IPT6 -X
 
# Clean old iptables v6 tables
for chain in mangle filter
do
    $IPT6 -t $chain -F
    $IPT6 -t $chain -X
done
 
# Set IPv6 default chains
$IPT6 -P INPUT DROP 
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT ACCEPT
 
$IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$IPT6 -A INPUT -i lo -j ACCEPT
 
# Allow SSH from Hetzner IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow SSH from Home IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow ICMP from Hetzner IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
 
# Allow ICMP from Home IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
 
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT     # SMTP  
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT     # DNS via TCP
$IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT     # DNS via UDP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT     # HTTP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT    # POP3
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT    # IMAP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT
 
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 
$IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Example of logging
$IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

# Clean old IPv6 firewall $IPT6 -F $IPT6 -X # Clean old iptables v6 tables for chain in mangle filter do $IPT6 -t $chain -F $IPT6 -t $chain -X done # Set IPv6 default chains $IPT6 -P INPUT DROP $IPT6 -P FORWARD DROP $IPT6 -P OUTPUT ACCEPT $IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A INPUT -i lo -j ACCEPT # Allow SSH from Hetzner IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow SSH from Home IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow ICMP from Hetzner IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT # Allow ICMP from Home IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT # SMTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT # DNS via TCP $IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT # DNS via UDP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT # HTTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT # POP3 $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT # IMAP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Example of logging $IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

Filed Under: IPv6, Linux, Networking Tagged With: ip6tables, iptables, Ipv6, IPv6 security, netfilter

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Comments

  1. bmq says

    March 12, 2014 at 00:59

    Please use ip6tables-save to save your config and ip6tables-restore to restore it. The way you posted it the kernel firewall ruleset is evaluated at each line of the script, while restoring the firewall ruleset with ip6tables-restore enters the entire ruleset in one go. This is both quicker (performace gain) as well as safer (connection integrity).

  2. zeldor says

    June 23, 2011 at 16:03

    Create a new file “/etc/init.d/firewallv6”
    Put this bash script in it, execute it “sh /etc/init.d/firewallv6”

    Enjoy your security;)

  3. rosniza says

    June 23, 2011 at 15:52

    how to configure this script on ubuntu 10

Leave a Reply

Your email address will not be published. Required fields are marked *

Yeaaah Cookie! We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok