zeldor.biz

Linux, programming and more

Copyright © 2025
Log in

IPv6 and ip6tables

July 24, 2010 by Igor Drobot 3 Comments

I describe a little bit how to secure your IPv6 server with Netfilter-ip6tables.

Refer to the IANA message types.

My example IPv6 firewall script:

Earlier predefined variables:

1
2
IPT6="/sbin/ip6tables"
OUTER="eth0"

IPT6="/sbin/ip6tables" OUTER="eth0"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Clean old IPv6 firewall
$IPT6 -F
$IPT6 -X
 
# Clean old iptables v6 tables
for chain in mangle filter
do
    $IPT6 -t $chain -F
    $IPT6 -t $chain -X
done
 
# Set IPv6 default chains
$IPT6 -P INPUT DROP 
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT ACCEPT
 
$IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$IPT6 -A INPUT -i lo -j ACCEPT
 
# Allow SSH from Hetzner IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow SSH from Home IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow ICMP from Hetzner IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
 
# Allow ICMP from Home IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
 
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT     # SMTP  
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT     # DNS via TCP
$IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT     # DNS via UDP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT     # HTTP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT    # POP3
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT    # IMAP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT
 
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 
$IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Example of logging
$IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

# Clean old IPv6 firewall $IPT6 -F $IPT6 -X # Clean old iptables v6 tables for chain in mangle filter do $IPT6 -t $chain -F $IPT6 -t $chain -X done # Set IPv6 default chains $IPT6 -P INPUT DROP $IPT6 -P FORWARD DROP $IPT6 -P OUTPUT ACCEPT $IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A INPUT -i lo -j ACCEPT # Allow SSH from Hetzner IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow SSH from Home IPv6-NET $IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT # Allow ICMP from Hetzner IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT # Allow ICMP from Home IPv6-NET $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT # SMTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT # DNS via TCP $IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT # DNS via UDP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT # HTTP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT # POP3 $IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT # IMAP $IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT $IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Example of logging $IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

Filed Under: IPv6, Linux, Networking Tagged With: ip6tables, iptables, Ipv6, IPv6 security, netfilter

Yeaaah Cookie! We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok