Do you use let's encrypt?





8441 votes ~ 27 comments

 

Is your firewall IPv6 aware?

Posted by Steve on Thu 8 Jan 2009 at 23:14

If, like many people, you've started to experiment with enabling, configuring, and using, IPv6 it might not have crossed your mind to update your firewall. This could lead to surprises if you're unlucky. Read on for a simple overview.

The standard userspace firewall tool upon Debian GNU/Linux is iptables. This tool lets you add, list, and update your firewall rules and is documented both upon this site and in many online guides.

If you were to execute the following rules you'd disallow incoming connections to your server on port 22 except from a single trusted IP (1.2.3.4):

# allow me to connect from my static IP
iptables -A INPUT -p tcp --dport 22 --src 1.2.3.4 -j ACCEPT

# drop the rest of the world
iptables -A INPUT -p tcp --dport 22 -j DROP

You might think that this is sufficient to stop connections hitting your machine, but if it is accessible over IPv6 you'll soon discover this isn't the case:

telnet -6 www.example.org 22
Trying 2002:5f10:fff::1...
Connected to www.example.org
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-9etch3

Here we see that we've been allowed access to port 22, even though we shouldn't have been. Why? Because iptables only cares about IPv4.

To configure rules for IPv6 you need to use the ip6tables tool as well:

ip6tables -A INPUT -p tcp --dport 22 -j DROP

Now you'll be safe, and incoming IPv6 connections to port 22 will be rejected. ip6tables works in exactly the same way as iptables does, so you don't need to learn anything new.

If you've already got a simple firewall script that you've put together yourself it might not be too much work to update it - if you're using an existing firewall package such as shorewall then you might not even need to do that, but you should certainly test it and find out!

 

 


Re: Is your firewall IPv6 aware?
Posted by mbl (90.229.xx.xx) on Thu 8 Jan 2009 at 23:49
I happened to read the other day that Shorewall has just added IPV6 functionality. <http://www.shorewall.net/IPv6Support.html>;
/MBL

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by Xeeper (87.195.xx.xx) on Fri 9 Jan 2009 at 07:42
First of all, you should set both the input policies to 'drop'. That way you know for sure than every packet received is dropped.

iptables -P INPUT DROP
ip6tables -P INPUT DROP

After that you can specify what is allowed. If you'll would use
iptables -A INPUT -m tcp --dport 22 -j ACCEPT
than SSH traffic over IPv6 isn't allowed, but over IPv4 is.


[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by ajt (204.193.xx.xx) on Fri 9 Jan 2009 at 08:58
[ View Weblogs ]

That's what I do now, but as Steve points out it's not uncommon to forget to include the ipv6 version of the iptables command. I've seen some ipv6 traffic on my network in the past, which is odd as I don't think my ISP or ADSL router are anything other than ipv4.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by AJxn (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 2 Mar 2010 at 20:04
[ View Weblogs ]
You should also remember that ICMPv6 is much more important in IPv6 than ICMP in IPv4. So you sould have to check what you must let through to make IPv6 work as it should.

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by Anonymous (92.70.xx.xx) on Wed 3 Mar 2010 at 13:52
Well, We do *NOT* support IPv6. Just like 99% of the ISPs. So we block all IPv6 traffic we receive on our primary backbones. We do have a 'consumer' fiber connection with an ISP that provides an IPv6 tunnel over IPv4.

For instance Ripe (the organization that's responsible for IP blocks in Europe) even doesn't have IPv6. The NL domain registry doesn't have IPv6 DNS servers.

So as long the most important organizations on the internet don't have IPv6 thereself, we keep blocking it.

Btw: ICMP over IPv6 is *NOT* more important than over IPv4. It's just as important. ICMP discovers the route that packets need to travel to reach their destination. Because most internet routers don't have IPv6 BGP support, destinations need to support ICMPv6 neighborhood discovery messages. As more and more routers get IPv6 BGP 'support', ICMP becomes less important. Route discovery using ICMP is very slow compared to BGP.

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by Anonymous (84.106.xx.xx) on Wed 11 Feb 2009 at 19:27
As long as ipv6 is not used, you should seriously consider disabling it as part of your (presumably) automated installation of hosts. At least we do.

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by progfou (117.1.xx.xx) on Thu 19 Feb 2009 at 12:23
You mean there is still people not considering IPv6 in year 2009 !?!?

Wakeup guys!!! We are soon to get IPv4 addresses outage, even if we are using more and more tricks developing countries (think about >3 billions of Asian people) are also going more and more connected… And that's without even considering embedded devices!

FYI: http://www.potaroo.net/tools/ipv4/

Even without talking about really connecting to IPv6, it *is* time to start implementing it!

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by Anonymous (84.106.xx.xx) on Wed 11 Feb 2009 at 19:29
As long as ipv6 is not used, you should seriously consider disabling it as part of your (presumably) automated installation of hosts. At least we do.

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by Anonymous (88.86.xx.xx) on Mon 2 Mar 2009 at 01:52
IPv6 only used for irc by kids :) Even tho they say big numbers about how many v6 users are out there, I would say 60% of those don't even know what IPV6 is.

Those ISPs who deploy IPV6 natively on their networks make vista users targets (since its not enabled by default on previous win versions).

Of course no one gonna scan v6 blocks but what if they give them a v6 reverse as well.

On my linux, bsd boxes I was experimenting with v6 when it was so called 'hot', now it seems no one cares about it anymore. IP6tables rules can look ungly when you start blocking or allowing certain services from dedicated ips which have no dns. For sysadmins this can be a real hell in the future.

[ Parent | Reply to this comment ]

Re: Is your firewall IPv6 aware?
Posted by fredr (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sun 22 Mar 2009 at 13:33
I sure hope so.

[ Parent | Reply to this comment ]