Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] ipv6 firewall input rules
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3711
Location: Hamburg

PostPosted: Wed May 13, 2015 6:55 pm    Post subject: [solved] ipv6 firewall input rules Reply with quote

Whilst my 2 Gentoo systems are currently build with -ipv6 I'm slowly thinking about thinking to use ipv6 in future.
Now I'm wondering about a basic rule set to prevent any external incoming traffic except tcpv6 t the ports 22, 80 and 443 and to allow output over any tcpv6 port?


Last edited by toralf on Sat May 16, 2015 9:42 am; edited 1 time in total
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2660

PostPosted: Thu May 14, 2015 4:59 am    Post subject: Reply with quote

Start from https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules
Back to top
View user's profile Send private message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Thu May 14, 2015 11:25 am    Post subject: Reply with quote

Hi,

The IPv6 rules work like the IPv4 one, just replace iptables by ip6tables in your script.
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2660

PostPosted: Thu May 14, 2015 11:47 am    Post subject: Reply with quote

SwordArMor wrote:
The IPv6 rules work like the IPv4 one, just replace iptables by ip6tables in your script.

What's wrong with https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules?
Back to top
View user's profile Send private message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Thu May 14, 2015 12:05 pm    Post subject: Reply with quote

charles17 wrote:

What's wrong with https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules?

Nothing, I just want to say that IPv4 and IPv6 are pretty the same.
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Fri May 15, 2015 4:01 am    Post subject: Re: ipv6 firewall input rules Reply with quote

toralf wrote:
Now I'm wondering about a basic rule set to prevent any external incoming traffic except tcpv6 t the ports 22, 80 and 443 and to allow output over any tcpv6 port?


For me it's a bit more sophisticated. I am firm with ip(6)tables.
But: I get from my telecom provider a IPv6 router advertisement (/56 Prefix) that changes on regular interval after automatically reconnection (for privacy reason, home usage). At the telecoms provided proprietary routers LAN ethernet port I have connected my Gentoo box as a firewall (ip(6)tables) and router (with eth1 for WAN to the provider router and eth0 for IPv4 LAN), because I don't trust the providers router and want to have full control on what is going on. But I need the providers router for IP telephone devices conncted to it. I don't want to connect the telephone to my Gentoo box...
With IPv6 there would not be any "LAN" anymore, or is IPv6-NAT recommended?
So, to get my "LAN" clients also having IPv6 connection, it seems I would need to forward all WAN-ICMPv6 to the "LAN" clients so they build automatically their (privacy extended) IPv6 addresses.
Or how the IPv6 connection for "LAN" clients would be configured?
And then, If I want to allow e.g. Port 22 incoming only for the router, but not for every LAN client, how would the firewall rule be for that? Only allow Port 22 new connection in INPUT chain so it stops on eth1, but not in FORWARD chain? I have dynamic IPv6 addresses, but in addition to the destination port I would need to specify the allowed destination IPv6 address, otherwise incoming Port 22 would be allowed for every client in my network.
Or how would the network structure would be best in this case? Prefix forwarding? RAdvd on Gentoo box?
The IPv6 concept of direct connection for every entity without LAN/NAT is somehow a new world...
Back to top
View user's profile Send private message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Fri May 15, 2015 9:50 am    Post subject: Reply with quote

The concepts of LAN and WAN are still valid in IPv6, but the concept of RFC1918 (10/8, 172.16/12, 192.168/16) is not.
You have a LAN if you don’t need to pass through a router to go to your destination, e. g. I’m on my computer (2001:470:1f13:138:990b:8df2:b033:4971/64) and I want to talk to my server (2001:470:1f13:138:715d:2fa0:b591:532f/64): they are both into 2001:470:1f13:138::/64, so it’s a LAN.
Code:
alarig@airmure ~ $ traceroute6 bulbizarre.swordarmor.fr
traceroute to bulbizarre.swordarmor.fr (2001:470:1f13:138:715d:2fa0:b591:532f), 30 hops max, 80 byte packets
 1  bulbizarre.swordarmor.fr (2001:470:1f13:138:715d:2fa0:b591:532f)  0.252 ms  0.241 ms  0.241 ms


But, if I want to go to another server which is not in that network, it becomes WAN.
Code:
alarig@airmure ~ $ traceroute6 rodolphe.swordarmor.fr
traceroute to rodolphe.swordarmor.fr (2001:bc8:3c56:101::2), 30 hops max, 80 byte packets
 1  drscott.swordarmor.fr (2001:470:1f13:138::1)  0.231 ms  0.214 ms  0.206 ms
 2  alarig-1.tunnel.tserv10.par1.ipv6.he.net (2001:470:1f12:138::1)  24.968 ms  26.994 ms  29.341 ms
 3  ge2-3.core1.par1.he.net (2001:470:0:7b::1)  30.117 ms  30.136 ms  30.114 ms
 4  10ge9-1.core1.par2.he.net (2001:470:0:1b0::2)  30.087 ms  30.088 ms  30.087 ms
 5  online.equinix-ix.fr (2001:7f8:43::1:2876:1)  30.552 ms  30.838 ms  30.315 ms
 6  2001:bc8:0:1::19 (2001:bc8:0:1::19)  31.292 ms  30.480 ms  30.752 ms
 7  2001:bc8:0:1::7a (2001:bc8:0:1::7a)  29.949 ms  20.720 ms  17.953 ms
 8  ginette.swordarmor.fr (2001:bc8:3c56:100::1)  17.903 ms  17.855 ms  17.881 ms
 9  rodolphe.swordarmor.fr (2001:bc8:3c56:101::2)  18.150 ms  18.145 ms  18.138 ms


You can setup a NAT66 (NAT for IPv6) if you want, but it’s not recommended. The main interest of IPv6 is to have a public IP on each device.

To get your LAN clients having an IPv6 connection, you have to do router advertisement (RA) from your router, you can use radvd.
Here is my configuration (I use the eth1 port for LAN):
Code:
alarig@drscott:~$ grep -v "^#" /etc/radvd.conf
interface eth1
{
   AdvSendAdvert on;
   AdvDefaultPreference high;
   MaxRtrAdvInterval 30;
   prefix 2001:470:1f13:138::/64
   {
   };

   RDNSS 2001:470:1f13:138::1
   {
      AdvRDNSSLifetime 30;
   };
};

The RDNSS section is for the DNS.

Your clients will received the prefix, and from that they will take an address in the pool and use it.
You also have to enable the IPv6 forwarding on your router with sysctl, the option is net.ipv6.conf.all.forwarding.

On my second traceroute, you can see that I’m passing by drscott.swordarmor.fr, it’s my router. So, the firewall rules have to be set here.
If you don’t want to have the port 22 open for your clients, you can use a rule like ip6tables -A FORWARD -p tcp --dport 22 -j DROP or something like that. It’s the same idea than in IPv4.

Where I can’t help you, it’s with the dynamic address. I never had to deal with it before and my configuration assume that you have always the same prefix.

The concept of direct connection is not so new, it was the same in IPv4 before the address exhaustion and you still get a public IPv4 address at some big meetings such CCC or FOSDEM ;)
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Fri May 15, 2015 12:05 pm    Post subject: Reply with quote

SwordArMor wrote:

Where I can’t help you, it’s with the dynamic address.


Unfortunateley, that's the point :(

But thanks for Your information, so far.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3711
Location: Hamburg

PostPosted: Fri May 15, 2015 9:04 pm    Post subject: Reply with quote

I don't get it, ping6 to local card works, but not a connections to outside :-( :
Code:
tor-relay ~ # cat /etc/conf.d/net
config_enp3s0="5.9.158.75/27
2a01:4f8:190:514a::2/64
"

routes_enp3s0="default via 5.9.158.65
default via fe80::1
"

dns_servers_enp3s0="127.0.0.1 213.133.98.98 213.133.99.99 213.133.100.100 2a01:4f8:0:a0a1::add:1010 2a01:4f8:0:a102::add:9999 2a01:4f8:0:a111::add:9898"

dns_domain_enp3s0="your-server.de"

tor-relay ~ # ping6 -n ipv6.google.com
PING ipv6.google.com(2a00:1450:4001:806::1007) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

with this firewall :
Code:
IPT="/sbin/ip6tables"


startFirewall() {
  $IPT -P INPUT DROP
  $IPT -P FORWARD DROP
  $IPT -P OUTPUT ACCEPT

  $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  $IPT -A INPUT -i lo -j ACCEPT
  $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
  $IPT -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
  $IPT -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable
  $IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2660

PostPosted: Sat May 16, 2015 4:33 am    Post subject: Reply with quote

toralf wrote:
with this firewall :
Code:
IPT="/sbin/ip6tables"


startFirewall() {
... --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

Why at all are you using startFirewall()? Why not having iptables and ip6tables in runlevel default?
Quote:
# rc-update add iptables default
# rc-update add ip6tables default
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum