Skip to content

APANA Melbourne

Sections
Personal tools
You are here: Home » APANA® Melbourne Wiki » IPv6: Firewalling
 
Views
Actions
FrontPage >> MelbProjects >> IPv6 >>

IPv6: Firewalling

Document Actions
last edited 3 years ago by lenehan

The IPv4 firewalling (if configured) needs to permit tunnelled IPv6 traffic into and out of the gateway host. The packets will always be sent to and from the gateway hosts IPv4 address (as enconded in the 6to4 IPv6 address.

For example:

  iptables -A INPUT  -i ppp0 -d charon.twibble.org -p ipv6 -j ACCEPT
  iptables -A OUTPUT -o ppp0 -s charon.twibble.org -p ipv6 -j ACCEPT

The IPv6 firewalling will now need to be configured to protect the host against IPv6 traffic. The ip6tables command is used for this purpose and is very similar in operation to the iptables command. The biggest ommision at the present is the lack of stateful filtering (which complicates setting up rules quite a bit).

Traffic from the outside will use the tun6to4 device. Therefore that can be used in the firewalling rules to distingiush between internal and external traffic.

The following shows a simple example of this (please make sure youy understand what this is letting in before you use it!)

  CHAIN=tun6to4
  CHAIN_IN=io_${CHAIN}_in
  CHAIN_OUT=io_${CHAIN}_out
  IPV6_SUBNET="2002:cbd9:1d86::/48"
  echo -n "Loading $CHAIN: "
  ip6tables -N $CHAIN_IN
  ip6tables -N $CHAIN_OUT


  echo -n "LIMIT[$IPV6_SUBNET<->::/0] "
  ip6tables -A INPUT -d $IPV6_SUBNET -i tun6to4 -j $CHAIN_IN
  ip6tables -A OUTPUT -s $IPV6_SUBNET -o tun6to4 -j $CHAIN_OUT


  echo -n "IMCP "
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type destination-unreachable -j ACCEPT
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
  ip6tables -A $CHAIN_IN -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT
  ip6tables -A $CHAIN_OUT -p ipv6-icmp -j ACCEPT


  echo -n "tcp/http tcp/https tcp/smtp "
  ip6tables -A $CHAIN_IN -p tcp --dport 80 -j ACCEPT
  ip6tables -A $CHAIN_OUT -p tcp --sport 80 -j ACCEPT
  ip6tables -A $CHAIN_IN -p tcp --dport 443 -j ACCEPT
  ip6tables -A $CHAIN_OUT -p tcp --sport 443 -j ACCEPT
  ip6tables -A $CHAIN_IN -p tcp --dport 25 -j ACCEPT
  ip6tables -A $CHAIN_OUT -p tcp --sport 25 -j ACCEPT


  # Drop SYN packets
  ip6tables -A $CHAIN_IN -p tcp --syn -j log6_info


  # Let in/out tcp and udp to the high port numbers
  ip6tables -A $CHAIN_IN -p tcp --dport $LOCAL_PORT_RANGE -j ACCEPT
  ip6tables -A $CHAIN_IN -p udp --dport $LOCAL_PORT_RANGE -j ACCEPT
  ip6tables -A $CHAIN_OUT -p tcp --sport $LOCAL_PORT_RANGE -j ACCEPT
  ip6tables -A $CHAIN_OUT -p udp --sport $LOCAL_PORT_RANGE -j ACCEPT

 
 
Powered by Plone