Linode Forum

jsr · Joined: 09 Dec 2008 Posts: 49 Location: Gilbert, AZ

I've been trying to implement a basic IPv6 firewall on my Linode without much luck. I've had a lot of experience creating firewalls using iptables for IPv4, but pretty much no experience with IPv6. To start, I basically copied what I've been using for years on IPv4 and switched it to ip6tables. The online testing tools I've been using (http://ipv6-test.com/validate.php) report that port 80 is still being blocked though. Any ideas why?

Any help would be appreciated.

Code: ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport http
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport https
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport smtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssmtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport 587 # other smtp port
ip6tables -A INPUT -m state --state NEW -p udp -j ACCEPT --dport domain
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport domain
ip6tables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssh
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j ACCEPT

Code: root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:443
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:25
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:465
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:587
0 0 ACCEPT udp * * ::/0 ::/0 state NEW udp dpt:53
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:53
0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
4 320 DROP all * * ::/0 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
root#

otherbbs · Posted: Fri Sep 23, 2011 12:01 pm Post subject: Re: IPv6 Firewall Issues

jsr wrote: Any ideas why?
Are you sure your web server is listen on IPv6?

You could add a log line to your rules to see what is being dropped to help debug.

Note your iptables counters only show 4 packets dropped and no other hits on the other rules. I'm betting your services are not configured to listen on your IPv6 address.

--
Travis

jsr · Joined: 09 Dec 2008 Posts: 49 Location: Gilbert, AZ

They are configured to listen on IPv6, at least the web server is.

The counters are pretty low, that is partly because I have been messing with it and the tables were flushed recently and partly because traffic is low since the main address does not have a DNS entry yet since I am still trying to get it working. I've updated the counters below, the 1 accepted packet on port 80 is from me just doing a telnet on the localhost.

I forgot about the log rules, I'll try adding that to see if it offers any additional clues.

Code: root# netstat -an|grep tcp6
tcp6 0 0 :::587 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::465 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::25 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
root#

Code: root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 80 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:443
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:25
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:465
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:587
0 0 ACCEPT udp * * ::/0 ::/0 state NEW udp dpt:53
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:53
0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
5 368 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
201 20808 DROP all * * ::/0 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 448 ACCEPT all * * ::/0 ::/0
root#

hoopycat · Posted: Fri Sep 23, 2011 12:20 pm Post subject:

(deleted suggestion about netstat; already done)

Also, it looks like you are implicitly dropping ICMPv6 traffic. This will break multiple things (stateless auto-configuration, neighbor discovery, path MTU discovery, ...). Accepting all ICMPv6 traffic should be pretty safe, although more research could find a subset that will do the trick.

(This suggests that you're blocking all ICMP traffic for IPv4 as well, which is unwise, although not as catastrophic -- neighbor discovery is its own control protocol (ARP), and PMTUD isn't totally necessary if fragmentation is allowed. Still, not a recommended practice.)

jsr · Joined: 09 Dec 2008 Posts: 49 Location: Gilbert, AZ

I added ICMPv6 and that seems to have did the trick. I didn't realize ICMP was that important with IPv6.

I'm usually pretty stingy on allowing ICMP packets because I used to see way too much ping flooding any other non-sense back in the day. I know ping flooding probably isn't even common anymore, but old habits die hard. I do allow some IPv4 ICMPs, but have rate limits on them. I hadn't gotten to the point of figuring out any acceptable rate limits (or risk) on ICMPv6, so I had just been dropping all of those packets.

Thanks guys!

IPv6 Firewall Issues