IPv6 iptables firewall
How to set the most basic ip6tables rules.
The IPv6 firewall ip6tables is included in the iptables package (./configure --help).
Debian iptables packages are compiled with IPv6 support. Gentoo has IPv6 as a USE flag.
1. Installing ip6tables
After you compiled and installed your new kernel it's time to install iptables (provides ip6tables).
1.1. Gentoo Linux
As noted in Gentoo Bugzilla Bug 39833,
USE=ipv6 iptables does not install ip6tables-{save,restore},
Gentoo Linux has a bug in emerge iptables.
If you are using Gentoo then you should edit
/usr/portage/net-firewall/iptables/iptables-1.2.9.ebuild
before you install.
1.2. RPM based distributions
Check if your distribution already comes with ip6tables by running:
``which ip6tables``
If it does not, you must rebuild the iptables package. Because iptables needs to build against your kernel you must use a src.rpm and rebuild it:
rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
Because most distributions already has a iptables version installed you must use -F (freshen):
rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
But if it does not, or you uninstalled it, install as usual:
rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
1.3. Debian
If you are using Debian you got nothing to worry about, iptables and all relevant tools are compiled with IPv6 support..
2. ip6tables basics
The default ip6tables chains (view them with ip6tables -vL) are INPUT. FORWARD and OUTPUT.
The basic way to close a port is:
ip6tables -A <CHAIN> -p <PROTOCOL> --dport <PORTNUMBER> -j DROP
ip6tables -A INPUT -p tcp --dport 22 -j DROP
For a simple firewall, you can block ports pretty quick with
IP6TABLES=``which ip6tables``
ClosePort() {
$IP6TABLES -A INPUT -p tcp --dport $1 -j DROP
$IP6TABLES -A INPUT -p udp --dport $1 -j DROP
}
for securityrisks in 22 80 ;
do
ClosePort $securityrisks
done
2.1. Rate-limiting
Use --limit to prevent Denial of Service (DoS) attacks against the ICMPv6 ruleset.
An example for a rate limited ICMPv6 looks like:
ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
If you use logging you will also want to limit those rules to prevent DoS attacks against syslog and file log storage.
2.2. How to know what ports to close
Use netstat (manual page) to view what ports are listening on IPv6.
netstat -lnptu -A inet6
2.3. Ip6wall automated script
Ip6wall is a bash script for ip6tables that does all the work of putting up a firewall for you.
Features include: support for an IPv6 mapped lans, forwading, port-forwarding, configurable outgoing filtering, configurable public service access, access control lists, and more.
