Linode Forum
https://forum.linode.com/

IPv6 Firewall Issues
https://forum.linode.com/viewtopic.php?f=19&t=7799		 Page 1 of 1
Author:  jsr [ Fri Sep 23, 2011 12:23 pm ]
Post subject:  IPv6 Firewall Issues
I've been trying to implement a basic IPv6 firewall on my Linode without much luck. I've had a lot of experience creating firewalls using iptables for IPv4, but pretty much no experience with IPv6. To start, I basically copied what I've been using for years on IPv4 and switched it to ip6tables. The online testing tools I've been using (http://ipv6-test.com/validate.php) report that port 80 is still being blocked though. Any ideas why?

Any help would be appreciated.

Code:
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport http
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport https
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport smtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssmtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport 587    # other smtp port
ip6tables -A INPUT -m state --state NEW -p udp -j ACCEPT --dport domain
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport domain
ip6tables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssh
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j ACCEPT


Code:
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:443
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:25
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:465
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:587
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                state NEW udp dpt:53
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:53
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                tcp dpt:113 reject-with tcp-reset
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:22
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                state RELATED,ESTABLISHED
    4   320 DROP       all      *      *       ::/0                 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0
root#
Author:  otherbbs [ Fri Sep 23, 2011 1:01 pm ]
Post subject:  Re: IPv6 Firewall Issues
jsr wrote:
Any ideas why?

Are you sure your web server is listen on IPv6?

You could add a log line to your rules to see what is being dropped to help debug.

Note your iptables counters only show 4 packets dropped and no other hits on the other rules. I'm betting your services are not configured to listen on your IPv6 address.

--
Travis
Author:  jsr [ Fri Sep 23, 2011 1:20 pm ]
Post subject: 
They are configured to listen on IPv6, at least the web server is.

The counters are pretty low, that is partly because I have been messing with it and the tables were flushed recently and partly because traffic is low since the main address does not have a DNS entry yet since I am still trying to get it working. I've updated the counters below, the 1 accepted packet on port 80 is from me just doing a telnet on the localhost.

I forgot about the log rules, I'll try adding that to see if it offers any additional clues.

Code:
root# netstat -an|grep tcp6
tcp6       0      0 :::587                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::465                  :::*                    LISTEN
tcp6       0      0 :::53                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::25                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
root#


Code:
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    80 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:443
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:25
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:465
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:587
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                state NEW udp dpt:53
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:53
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                tcp dpt:113 reject-with tcp-reset
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:22
    5   368 ACCEPT     all      *      *       ::/0                 ::/0                state RELATED,ESTABLISHED
  201 20808 DROP       all      *      *       ::/0                 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   448 ACCEPT     all      *      *       ::/0                 ::/0
root#
Author:  hoopycat [ Fri Sep 23, 2011 1:20 pm ]
Post subject: 
(deleted suggestion about netstat; already done)

Also, it looks like you are implicitly dropping ICMPv6 traffic. This will break multiple things (stateless auto-configuration, neighbor discovery, path MTU discovery, ...). Accepting all ICMPv6 traffic should be pretty safe, although more research could find a subset that will do the trick.

(This suggests that you're blocking all ICMP traffic for IPv4 as well, which is unwise, although not as catastrophic -- neighbor discovery is its own control protocol (ARP), and PMTUD isn't totally necessary if fragmentation is allowed. Still, not a recommended practice.)
Author:  jsr [ Fri Sep 23, 2011 1:44 pm ]
Post subject: 
I added ICMPv6 and that seems to have did the trick. I didn't realize ICMP was that important with IPv6.

I'm usually pretty stingy on allowing ICMP packets because I used to see way too much ping flooding any other non-sense back in the day. I know ping flooding probably isn't even common anymore, but old habits die hard. I do allow some IPv4 ICMPs, but have rate limits on them. I hadn't gotten to the point of figuring out any acceptable rate limits (or risk) on ICMPv6, so I had just been dropping all of those packets.

Thanks guys!
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/