| Linode Forum https://forum.linode.com/ |
|
| ip6tables doesn't filter correctly? https://forum.linode.com/viewtopic.php?f=19&t=7230 |
Page 1 of 1 |
| Author: | optize [ Wed Jun 08, 2011 11:19 pm ] |
| Post subject: | ip6tables doesn't filter correctly? |
I have a simple iptables script that I use for all of my servers, since I rolled out ipv6 recently, I wanted to use the same script (except use ip6tables, instead of iptables). Here is my script: /sbin/ip6tables --flush /sbin/ip6tables -A INPUT -p icmp -j ACCEPT /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -j LOG --log-level 4 /sbin/ip6tables -A INPUT -j DROP Pretty simple, it accepts icmp. 80, 443, established and then drops the rest. This script is the exact same for ipv4 traffic and works fine. When I run this script, I can't reach my ipv6 box at all, not via 80, icmp, nothing. It also can't ping out (via v6), which makes no sense. This is what appears in messages (due to the iptables log rule) Jun 8 20:12:30 www01 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx SRC=xx:xx:xx:xx:xx:xx:xx DST=xx:xx:xx:xx:xx:xx:xx:xx LEN=72 TC=224 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 Anyone run into this before? It happens on all of my v6 linodes... |
|
| Author: | retrograde inversion [ Wed Jun 08, 2011 11:31 pm ] |
| Post subject: | Re: ip6tables doesn't filter correctly? |
optize wrote: /sbin/ip6tables -A INPUT -p icmp -j ACCEPT
icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well. |
|
| Author: | optize [ Thu Jun 09, 2011 10:06 am ] |
| Post subject: | Re: ip6tables doesn't filter correctly? |
It looks like ip6tables had a script running upon boot up that was conflicting with my script. chkconfig ip6tables off; reboot fixed the issue. Thanks! |
|
| Author: | zeroturn [ Mon Jun 20, 2011 8:36 pm ] |
| Post subject: | Re: ip6tables doesn't filter correctly? |
retrograde inversion wrote: optize wrote: /sbin/ip6tables -A INPUT -p icmp -j ACCEPT icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well. I was also having trouble with this and the icmpv6 worked for me. I was even having trouble getting Apache to work under IPv6 until I did this. Unfortunately, I don't really want everyone to be able to ping my server on IPv6, but the following iptables config doesn't allow anything to connect to anywhere: Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) This mirrors a similar IPv4 iptables setup, but I can't even ping6 out to ipv6.google.com with the above. If I add a "-A INPUT -p icmpv6 -j ACCEPT" then it works fine. Also, http://ipv6-test.com/validate.php doesn't work with the above, but it works with a full-accept icmp ruleset. I thought that the "ctstate RELATED,ESTABLISHED" accept line would allow me to ping6 out to anywhere, but it does not. I'm confused, as well, as to why that validate ipv6 link doesn't see Apache unless I have full ICMPv6 ACCEPT rules in and out? Am I doing it wrong? Moreover: Do I really need to block ICMP or ICMPv6 on either iptables or ip6tables or is that just a useless security practice? |
|
| Author: | db3l [ Mon Jun 20, 2011 9:21 pm ] |
| Post subject: | |
You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not. See viewtopic.php?p=39840#39840 for a prior discussion. BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing. I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 there are more types, as above, that are crucial to proper operation, especially in an auto-configuration environment. And yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel having to keep them on. Nor am I quite sure how much more protected the Xen setup may be in contrast to dedicated hardware on a shared segment. -- David |
|
| Author: | zeroturn [ Mon Jun 20, 2011 9:32 pm ] |
| Post subject: | |
db3l wrote: You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not.
See viewtopic.php?p=39840#39840 for a prior discussion. BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing. I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 they're much more critical (and yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel leaving them on). -- David Thanks for that; I think I'll leave all the icmp on for ipv6 for now or perhaps try those rules you posted. I'm pretty sure that I'm more secure than my little server needs to be anyways. I will also probably turn echo on for my ipv4 setup now because I do sometimes need to use it and I can always keep the other icmp disabled. Thanks again! |
|
| Author: | zeroturn [ Tue Jun 21, 2011 12:13 am ] |
| Post subject: | |
Here are those rules in a format for use with ip6tables-apply (of course don't forget to add your own rules to it before application and save a backup copy of your ip6tables with "ip6tables-save > FILENAME"): Code: :ICMPv6 - [0:0] |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|