# Tips for ip6tables?

## wswartzendruber

I have reasonably secure iptables rules that I use for IPv4, but IPv6 is a whole new world to me.

Does anyone have any tips on how to build a good IPv6 table ruleset?  Target devices in mind are home routers (OpenWrt) and a server (Gentoo Hardened).

----------

## Ant P.

The common "deny all except outgoing connections then add holes" setup for IPv4 is probably a good start here too.

Remember: fe80::/7 are LAN addresses, ff00::/8 (I think) are multicast addresses, so make sure not to block them or stuff might act strange.

----------

## wswartzendruber

 *Ant_P wrote:*   

> The common "deny all except outgoing connections then add holes" setup for IPv4 is probably a good start here too.
> 
> Remember: fe80::/7 are LAN addresses, ff00::/8 (I think) are multicast addresses, so make sure not to block them or stuff might act strange.

 

fe80:: is LAN?  I thought that was link-local.

EDIT:  Evidently, we don't have to check for fragmented packets anymore.

EDIT AGAIN:  I just found an RFC that's actually very easy to understand.  Here's the basic summary on what we need to filter:

 *Quote:*   

> ::1/128 - Loopback
> 
> ::0/128 - Unspecified
> 
> ::ffff:0:0/96 - IPv4-Mapped Addresses
> ...

 

----------

## wswartzendruber

Here are my current ip6tables rules:

```
# Setup some anal defaults.

$IPTABLES -P FORWARD DROP

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

# Rules for ALL interfaces.

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

$IPTABLES -A INPUT -p icmpv6 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

$IPTABLES -A OUTPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

$IPTABLES -A OUTPUT -p icmpv6 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Input/output rules for loopback.

$IPTABLES -A INPUT -i $IF_LO -s ::1 -d ::1 -j ACCEPT

$IPTABLES -A OUTPUT -o $IF_LO -s ::1 -d ::1 -j ACCEPT

# Inbound WAN interface.

$IPTABLES -A INPUT -i $IF_WAN -s ::0/128 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s ::1/128 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s ::ffff:0:0/96 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s ::0/96 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s fe80::/10 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s fc00::/7 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s 2001:db8::/32 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -s 2001:10::/28 -j DROP

$IPTABLES -A INPUT -i $IF_WAN -d $IP_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Inbound LAN interface.

$IPTABLES -A INPUT -i $IF_LAN -s ::0/128 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s ::1/128 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s ::ffff:0:0/96 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s ::0/96 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s fe80::/10 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s fc00::/7 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s 2001:db8::/32 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -s 2001:10::/28 -j DROP

$IPTABLES -A INPUT -i $IF_LAN -d $IP_LAN -j ACCEPT

# Outbound LAN interface.

$IPTABLES -A OUTPUT -o $IF_LAN -d ::0/128 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d ::1/128 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d ::ffff:0:0/96 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d ::0/96 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d fe80::/10 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d fc00::/7 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d 2001:db8::/32 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -d 2001:10::/28 -j DROP

$IPTABLES -A OUTPUT -o $IF_LAN -s $IP_LAN -j ACCEPT

# Outbound WAN interface.

$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/128 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d ::1/128 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d ::ffff:0:0/96 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/96 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d fe80::/10 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d fc00::/7 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:db8::/32 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:10::/28 -j DROP

$IPTABLES -A OUTPUT -o $IF_WAN -s $IP_WAN -j ACCEPT

# Forwarding rules for inbound global.

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/128 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::1/128 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::ffff:0:0/96 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/96 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fe80::/10 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fc00::/7 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:db8::/32 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:10::/28 -j DROP

$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -d $NETMASK_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forwarding rules for outbound global.

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/128 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::1/128 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::ffff:0:0/96 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/96 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fe80::/10 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fc00::/7 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:db8::/32 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:10::/28 -j DROP

$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -s $NETMASK_LAN -j ACCEPT
```

EDIT:  Fixed a bunch of issues.

----------

## 22decembre

do someone know how to config the /etc/init.d/iptables scripts ? 

I have set my own iptables, which I find quite good, but I think the script there could be better if I know how to make !

----------

## wswartzendruber

 *22decembre wrote:*   

> do someone know how to config the /etc/init.d/iptables scripts ? 
> 
> I have set my own iptables, which I find quite good, but I think the script there could be better if I know how to make !

 

Why do you want to mess with that?  That's not where the rules are stored.  First you run some rules, then do /etc/init.d/iptables save, then /etc/init.d/iptables start.

----------

