LinuxReviws.org --get your your Linux knowledge
> Linux Reviews > Features > Why you want IPv6 >

IPv6 iptables firewall

How to set the most basic ip6tables rules.


  1. Installing ip6tables
  2. ip6tables basics


The IPv6 firewall ip6tables is included in the iptables package (./configure --help).

Debian iptables packages are compiled with IPv6 support. Gentoo has IPv6 as a USE flag.

1. Installing ip6tables

After you compiled and installed your new kernel it's time to install iptables (provides ip6tables).

1.1. Gentoo Linux

As noted in Gentoo Bugzilla Bug 39833, USE=ipv6 iptables does not install ip6tables-{save,restore}, Gentoo Linux has a bug in emerge iptables. If you are using Gentoo then you should edit /usr/portage/net-firewall/iptables/iptables-1.2.9.ebuild before you install.

1.2. RPM based distributions

Check if your distribution already comes with ip6tables by running:

  ``which ip6tables``

If it does not, you must rebuild the iptables package. Because iptables needs to build against your kernel you must use a src.rpm and rebuild it:

rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm

Because most distributions already has a iptables version installed you must use -F (freshen):

rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

But if it does not, or you uninstalled it, install as usual:

rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm

1.3. Debian

If you are using Debian you got nothing to worry about, iptables and all relevant tools are compiled with IPv6 support..

2. ip6tables basics

The default ip6tables chains (view them with ip6tables -vL) are INPUT. FORWARD and OUTPUT.

The basic way to close a port is:

ip6tables -A <CHAIN> -p <PROTOCOL> --dport <PORTNUMBER> -j DROP

ip6tables -A INPUT -p tcp --dport 22 -j DROP

For a simple firewall, you can block ports pretty quick with

  IP6TABLES=``which ip6tables``
  
  ClosePort()  {
   $IP6TABLES -A INPUT -p tcp --dport $1 -j DROP
   $IP6TABLES -A INPUT -p udp --dport $1 -j DROP
  }
  
  for securityrisks in 22 80 ;
   do
    ClosePort $securityrisks
  done

2.1. Rate-limiting

Use --limit to prevent Denial of Service (DoS) attacks against the ICMPv6 ruleset.

An example for a rate limited ICMPv6 looks like:

ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute

If you use logging you will also want to limit those rules to prevent DoS attacks against syslog and file log storage.

2.2. How to know what ports to close

Use netstat (manual page) to view what ports are listening on IPv6.

netstat -lnptu -A inet6

2.3. Ip6wall automated script

Ip6wall is a bash script for ip6tables that does all the work of putting up a firewall for you.

Features include: support for an IPv6 mapped lans, forwading, port-forwarding, configurable outgoing filtering, configurable public service access, access control lists, and more.



Meet new people