Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] ipv6 - will it double the iptables rules
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sat May 25, 2013 9:25 am    Post subject: [solved] ipv6 - will it double the iptables rules Reply with quote

/me wonders if I had to duplicate nearly every rule in my firewall script when I enable ipv6 in the kernel ?

Last edited by toralf on Sat May 25, 2013 1:45 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Sat May 25, 2013 10:39 am    Post subject: Reply with quote

toralf,

Yes, if you intend ti use it to connect to the outside world.

I don't run a IPv6 tunnel and my ISP does not provide native IPv6 (yet) so I can safely play with IPv6 on my local network, knowing its isolated.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sat May 25, 2013 1:45 pm    Post subject: Reply with quote

NeddySeagoon wrote:
I don't run a IPv6 tunnel and my ISP does not provide native IPv6 (yet) so I can safely play with IPv6 on my local network, knowing its isolated.
yes - that answered my next question. Thx
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Sat May 25, 2013 4:20 pm    Post subject: Reply with quote

If you want to be paranoid, add some basic ip6tables rules to filter traffic not coming from the LAN, so that you do not suddenly get global IPv6 connectivity due to an ISP configuration change.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sun May 26, 2013 9:50 am    Post subject: Reply with quote

Hu wrote:
If you want to be paranoid,
gladly
Quote:
add some basic ip6tables rules to filter traffic not coming from the LAN
errm, do you have such basic rules at hand ?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Sun May 26, 2013 4:05 pm    Post subject: Reply with quote

Set the ip6tables policy to DROP: ip6tables -P INPUT DROP. Then, for each IPv6 subnet you expect to be using, ip6tables -A INPUT -s subnet -j ACCEPT. You might also need to permit some forms of ipv6-icmp to allow host address discovery.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sun May 26, 2013 8:29 pm    Post subject: Reply with quote

toralf wrote:
errm, do you have such basic rules at hand ?

Code:
ip6tables -A INPUT -s 2000::/3 -j REJECT
ip6tables -A OUTPUT -d 2000::/3 -j REJECT

That will block all access to the outside internet while not breaking things like LAN, local multicast or localhost.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Mon May 27, 2013 9:29 am    Post subject: Reply with quote

Thx for the input, this should now work I think : http://bpaste.net/show/102202/
Now /me wondering how to tell the LOG target to shrink the ipv6 address :
Code:
kernel: MYFW6_OUT= IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=11624 SEQ=12
using the ":" character ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum