Linode Forum Index Linode Forum
Linode Community Forums
 


ip6tables doesn't filter correctly?

Click here to go to the original topic

 
       Linode Forum Index -> Linux Networking
Author Message
optize



Joined: 08 Jun 2011
Posts: 2
Posted: Wed Jun 08, 2011 10:19 pm    Post subject: ip6tables doesn't filter correctly?  
I have a simple iptables script that I use for all of my servers, since I rolled out ipv6 recently, I wanted to use the same script (except use ip6tables, instead of iptables).

Here is my script:


/sbin/ip6tables --flush
/sbin/ip6tables -A INPUT -p icmp -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -j LOG --log-level 4
/sbin/ip6tables -A INPUT -j DROP


Pretty simple, it accepts icmp. 80, 443, established and then drops the rest. This script is the exact same for ipv4 traffic and works fine.

When I run this script, I can't reach my ipv6 box at all, not via 80, icmp, nothing. It also can't ping out (via v6), which makes no sense.

This is what appears in messages (due to the iptables log rule)

Jun 8 20:12:30 www01 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx SRC=xx:xx:xx:xx:xx:xx:xx DST=xx:xx:xx:xx:xx:xx:xx:xx LEN=72 TC=224 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0


Anyone run into this before? It happens on all of my v6 linodes...
Back to top  
retrograde inversion



Joined: 08 Jun 2011
Posts: 25
Posted: Wed Jun 08, 2011 10:31 pm    Post subject: Re: ip6tables doesn't filter correctly?  
optize wrote: /sbin/ip6tables -A INPUT -p icmp -j ACCEPT


icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well.
Back to top  
optize



Joined: 08 Jun 2011
Posts: 2
Posted: Thu Jun 09, 2011 9:06 am    Post subject: Re: ip6tables doesn't filter correctly?  
It looks like ip6tables had a script running upon boot up that was conflicting with my script.

chkconfig ip6tables off; reboot fixed the issue.

Thanks!
Back to top  
zeroturn



Joined: 06 Jun 2011
Posts: 13
Posted: Mon Jun 20, 2011 7:36 pm    Post subject: Re: ip6tables doesn't filter correctly?  
retrograde inversion wrote: optize wrote: /sbin/ip6tables -A INPUT -p icmp -j ACCEPT


icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well.

I was also having trouble with this and the icmpv6 worked for me. I was even having trouble getting Apache to work under IPv6 until I did this.

Unfortunately, I don't really want everyone to be able to ping my server on IPv6, but the following iptables config doesn't allow anything to connect to anywhere:

Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PINGSAPPROVED  icmpv6     any    any     anywhere             anywhere
  190 15816 SPAMLIST   all      any    any     anywhere             anywhere
   23  3360 ACCEPT     all      any    any     anywhere             anywhere            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:www
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:https
  167 12456 LOGNDROP   all      any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SPAMLIST   all      any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 79 packets, 7608 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmpv6     any    any     anywhere             anywhere
  113 10656 SPAMLIST   all      any    any     anywhere             anywhere

Chain LOGNDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-TCP: '
    0     0 LOG        udp      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-UDP: '
    0     0 LOG        icmpv6     any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-ICMP: '
  167 12456 DROP       all      any    any     anywhere             anywhere

Chain PINGSAPPROVED (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      any    any     anywhere             anywhere


Chain SPAMLIST (3 references)
 pkts bytes target     prot opt in     out     source               destination
  303 26472 RETURN     all      any    any     anywhere             anywhere

Chain SPAMLND (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `SPAMLIST: '
    0     0 DROP       all      any    any     anywhere             anywhere

This mirrors a similar IPv4 iptables setup, but I can't even ping6 out to ipv6.google.com with the above. If I add a "-A INPUT -p icmpv6 -j ACCEPT" then it works fine. Also, http://ipv6-test.com/validate.php doesn't work with the above, but it works with a full-accept icmp ruleset.

I thought that the "ctstate RELATED,ESTABLISHED" accept line would allow me to ping6 out to anywhere, but it does not.

I'm confused, as well, as to why that validate ipv6 link doesn't see Apache unless I have full ICMPv6 ACCEPT rules in and out?

Am I doing it wrong?

Moreover: Do I really need to block ICMP or ICMPv6 on either iptables or ip6tables or is that just a useless security practice?
Back to top  
db3l



Joined: 13 May 2009
Posts: 556
Posted: Mon Jun 20, 2011 8:21 pm    Post subject:  
You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not.

See http://forum.linode.com/viewtopic.php?p=39840#39840 for a prior discussion.

BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing.

I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 there are more types, as above, that are crucial to proper operation, especially in an auto-configuration environment. And yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel having to keep them on. Nor am I quite sure how much more protected the Xen setup may be in contrast to dedicated hardware on a shared segment.

-- David
Back to top  
zeroturn



Joined: 06 Jun 2011
Posts: 13
Posted: Mon Jun 20, 2011 8:32 pm    Post subject:  
db3l wrote: You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not.

See http://forum.linode.com/viewtopic.php?p=39840#39840 for a prior discussion.

BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing.

I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 they're much more critical (and yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel leaving them on).

-- David

Thanks for that; I think I'll leave all the icmp on for ipv6 for now or perhaps try those rules you posted. I'm pretty sure that I'm more secure than my little server needs to be anyways. I will also probably turn echo on for my ipv4 setup now because I do sometimes need to use it and I can always keep the other icmp disabled.

Thanks again!
Back to top  
zeroturn



Joined: 06 Jun 2011
Posts: 13
Posted: Mon Jun 20, 2011 11:13 pm    Post subject:  
Here are those rules in a format for use with ip6tables-apply (of course don't forget to add your own rules to it before application and save a backup copy of your ip6tables with "ip6tables-save > FILENAME"):

Code: :ICMPv6 - [0:0]
# Approve certain ICMPv6 types and all outgoing ICMPv6
# http://forum.linode.com/viewtopic.php?p=39840#39840
-A INPUT -p icmpv6 -j ICMPv6
-A ICMPv6 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type redirect -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 141 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 142 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 148 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 149 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 151 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 152 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 153 -s fe80::/10 -j ACCEPT
-A ICMPv6 -j RETURN
-A OUTPUT -p icmpv6 -j ACCEPT
Back to top  
 
       Linode Forum Index -> Linux Networking
Page 1 of 1