# [solved] ipv6 firewall input rules

## toralf

Whilst my 2 Gentoo systems are currently build with -ipv6 I'm slowly thinking about thinking to use ipv6 in future.

Now I'm wondering about a basic rule set to prevent any external incoming traffic except tcpv6 t the ports 22, 80 and 443 and to allow output over any tcpv6 port?Last edited by toralf on Sat May 16, 2015 9:42 am; edited 1 time in total

----------

## charles17

Start from https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules

----------

## SwordArMor

Hi,

The IPv6 rules work like the IPv4 one, just replace iptables by ip6tables in your script.

----------

## charles17

 *SwordArMor wrote:*   

> The IPv6 rules work like the IPv4 one, just replace iptables by ip6tables in your script.

 

What's wrong with   https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules?

----------

## SwordArMor

 *charles17 wrote:*   

> 
> 
> What's wrong with   https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules?

 

Nothing, I just want to say that IPv4 and IPv6 are pretty the same.

----------

## 222697

 *toralf wrote:*   

> Now I'm wondering about a basic rule set to prevent any external incoming traffic except tcpv6 t the ports 22, 80 and 443 and to allow output over any tcpv6 port?

 

For me it's a bit more sophisticated. I am firm with ip(6)tables.

But: I get from my telecom provider a IPv6 router advertisement (/56 Prefix) that changes on regular interval after automatically reconnection (for privacy reason, home usage). At the telecoms provided proprietary routers LAN ethernet port I have connected my Gentoo box as a firewall (ip(6)tables) and router (with eth1 for WAN to the provider router and eth0 for IPv4 LAN), because I don't trust the providers router and want to have full control on what is going on. But I need the providers router for IP telephone devices conncted to it. I don't want to connect the telephone to my Gentoo box...

With IPv6 there would not be any "LAN" anymore, or is IPv6-NAT recommended?

So, to get my "LAN" clients also having IPv6 connection, it seems I would need to forward all WAN-ICMPv6 to the "LAN" clients so they build automatically their (privacy extended) IPv6 addresses.

Or how the IPv6 connection for "LAN" clients would be configured? 

And then, If I want to allow e.g. Port 22 incoming only for the router, but not for every LAN client, how would the firewall rule be for that? Only allow Port 22 new connection in INPUT chain so it stops on eth1, but not in FORWARD chain? I have dynamic IPv6 addresses, but in addition to the destination port I would need to specify the allowed destination IPv6 address, otherwise incoming Port 22 would be allowed for every client in my network.

Or how would the network structure would be best in this case? Prefix forwarding? RAdvd on Gentoo box?

The IPv6 concept of direct connection for every entity without LAN/NAT is somehow a new world...

----------

## SwordArMor

The concepts of LAN and WAN are still valid in IPv6, but the concept of RFC1918 (10/8, 172.16/12, 192.168/16) is not.

You have a LAN if you don’t need to pass through a router to go to your destination, e. g. I’m on my computer (2001:470:1f13:138:990b:8df2:b033:4971/64) and I want to talk to my server (2001:470:1f13:138:715d:2fa0:b591:532f/64): they are both into 2001:470:1f13:138::/64, so it’s a LAN.

```
alarig@airmure ~ $ traceroute6 bulbizarre.swordarmor.fr

traceroute to bulbizarre.swordarmor.fr (2001:470:1f13:138:715d:2fa0:b591:532f), 30 hops max, 80 byte packets

 1  bulbizarre.swordarmor.fr (2001:470:1f13:138:715d:2fa0:b591:532f)  0.252 ms  0.241 ms  0.241 ms

```

But, if I want to go to another server which is not in that network, it becomes WAN.

```
alarig@airmure ~ $ traceroute6 rodolphe.swordarmor.fr 

traceroute to rodolphe.swordarmor.fr (2001:bc8:3c56:101::2), 30 hops max, 80 byte packets

 1  drscott.swordarmor.fr (2001:470:1f13:138::1)  0.231 ms  0.214 ms  0.206 ms

 2  alarig-1.tunnel.tserv10.par1.ipv6.he.net (2001:470:1f12:138::1)  24.968 ms  26.994 ms  29.341 ms

 3  ge2-3.core1.par1.he.net (2001:470:0:7b::1)  30.117 ms  30.136 ms  30.114 ms

 4  10ge9-1.core1.par2.he.net (2001:470:0:1b0::2)  30.087 ms  30.088 ms  30.087 ms

 5  online.equinix-ix.fr (2001:7f8:43::1:2876:1)  30.552 ms  30.838 ms  30.315 ms

 6  2001:bc8:0:1::19 (2001:bc8:0:1::19)  31.292 ms  30.480 ms  30.752 ms

 7  2001:bc8:0:1::7a (2001:bc8:0:1::7a)  29.949 ms  20.720 ms  17.953 ms

 8  ginette.swordarmor.fr (2001:bc8:3c56:100::1)  17.903 ms  17.855 ms  17.881 ms

 9  rodolphe.swordarmor.fr (2001:bc8:3c56:101::2)  18.150 ms  18.145 ms  18.138 ms

```

You can setup a NAT66 (NAT for IPv6) if you want, but it’s not recommended. The main interest of IPv6 is to have a public IP on each device.

To get your LAN clients having an IPv6 connection, you have to do router advertisement (RA) from your router, you can use radvd.

Here is my configuration (I use the eth1 port for LAN):

```
alarig@drscott:~$ grep -v "^#" /etc/radvd.conf 

interface eth1

{

   AdvSendAdvert on;

   AdvDefaultPreference high;

   MaxRtrAdvInterval 30;

   prefix 2001:470:1f13:138::/64

   {

   };

   RDNSS 2001:470:1f13:138::1

   {

      AdvRDNSSLifetime 30;

   };

};

```

The RDNSS section is for the DNS.

Your clients will received the prefix, and from that they will take an address in the pool and use it.

You also have to enable the IPv6 forwarding on your router with sysctl, the option is net.ipv6.conf.all.forwarding.

On my second traceroute, you can see that I’m passing by drscott.swordarmor.fr, it’s my router. So, the firewall rules have to be set here.

If you don’t want to have the port 22 open for your clients, you can use a rule like ip6tables -A FORWARD -p tcp --dport 22 -j DROP or something like that. It’s the same idea than in IPv4.

Where I can’t help you, it’s with the dynamic address. I never had to deal with it before and my configuration assume that you have always the same prefix.

The concept of direct connection is not so new, it was the same in IPv4 before the address exhaustion and you still get a public IPv4 address at some big meetings such CCC or FOSDEM  :Wink: 

----------

## 222697

 *SwordArMor wrote:*   

> 
> 
> Where I can’t help you, it’s with the dynamic address.

 

Unfortunateley, that's the point   :Sad: 

But thanks for Your information, so far.

----------

## toralf

I don't get it, ping6 to local card works, but not a connections to outside  :Sad:  :

```
tor-relay ~ # cat /etc/conf.d/net

config_enp3s0="5.9.158.75/27

2a01:4f8:190:514a::2/64

"

routes_enp3s0="default via 5.9.158.65

default via fe80::1

"

dns_servers_enp3s0="127.0.0.1 213.133.98.98 213.133.99.99 213.133.100.100 2a01:4f8:0:a0a1::add:1010 2a01:4f8:0:a102::add:9999 2a01:4f8:0:a111::add:9898"

dns_domain_enp3s0="your-server.de"

tor-relay ~ # ping6 -n ipv6.google.com

PING ipv6.google.com(2a00:1450:4001:806::1007) 56 data bytes

^C

--- ipv6.google.com ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 2999ms

```

with this firewall :

```
IPT="/sbin/ip6tables"

startFirewall() {

  $IPT -P INPUT DROP

  $IPT -P FORWARD DROP

  $IPT -P OUTPUT ACCEPT

  $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  $IPT -A INPUT -i lo -j ACCEPT

  $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP

  $IPT -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT

  $IPT -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable

  $IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

```

----------

## charles17

 *toralf wrote:*   

> with this firewall :
> 
> ```
> IPT="/sbin/ip6tables"
> 
> ...

 

Why at all are you using startFirewall()? Why not having iptables and ip6tables in runlevel default? *Quote:*   

> # rc-update add iptables default
> 
> # rc-update add ip6tables default

 

----------

