Is your firewall IPv6 aware?
Posted by Steve on Thu 8 Jan 2009 at 23:14
If, like many people, you've started to experiment with enabling, configuring, and using, IPv6 it might not have crossed your mind to update your firewall. This could lead to surprises if you're unlucky. Read on for a simple overview.
The standard userspace firewall tool upon Debian GNU/Linux is iptables. This tool lets you add, list, and update your firewall rules and is documented both upon this site and in many online guides.
If you were to execute the following rules you'd disallow incoming connections to your server on port 22 except from a single trusted IP (1.2.3.4):
# allow me to connect from my static IP iptables -A INPUT -p tcp --dport 22 --src 1.2.3.4 -j ACCEPT # drop the rest of the world iptables -A INPUT -p tcp --dport 22 -j DROP
You might think that this is sufficient to stop connections hitting your machine, but if it is accessible over IPv6 you'll soon discover this isn't the case:
telnet -6 www.example.org 22 Trying 2002:5f10:fff::1... Connected to www.example.org Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
Here we see that we've been allowed access to port 22, even though we shouldn't have been. Why? Because iptables only cares about IPv4.
To configure rules for IPv6 you need to use the ip6tables tool as well:
ip6tables -A INPUT -p tcp --dport 22 -j DROP
Now you'll be safe, and incoming IPv6 connections to port 22 will be rejected. ip6tables works in exactly the same way as iptables does, so you don't need to learn anything new.
If you've already got a simple firewall script that you've put together yourself it might not be too much work to update it - if you're using an existing firewall package such as shorewall then you might not even need to do that, but you should certainly test it and find out!
iptables -P INPUT DROP
ip6tables -P INPUT DROP
After that you can specify what is allowed. If you'll would use
iptables -A INPUT -m tcp --dport 22 -j ACCEPT
than SSH traffic over IPv6 isn't allowed, but over IPv4 is.
[ Parent | Reply to this comment ]
That's what I do now, but as Steve points out it's not uncommon to forget to include the ipv6 version of the iptables command. I've seen some ipv6 traffic on my network in the past, which is odd as I don't think my ISP or ADSL router are anything other than ipv4.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
[ Send Message | View Weblogs ]
[ Parent | Reply to this comment ]
For instance Ripe (the organization that's responsible for IP blocks in Europe) even doesn't have IPv6. The NL domain registry doesn't have IPv6 DNS servers.
So as long the most important organizations on the internet don't have IPv6 thereself, we keep blocking it.
Btw: ICMP over IPv6 is *NOT* more important than over IPv4. It's just as important. ICMP discovers the route that packets need to travel to reach their destination. Because most internet routers don't have IPv6 BGP support, destinations need to support ICMPv6 neighborhood discovery messages. As more and more routers get IPv6 BGP 'support', ICMP becomes less important. Route discovery using ICMP is very slow compared to BGP.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Wakeup guys!!! We are soon to get IPv4 addresses outage, even if we are using more and more tricks developing countries (think about >3 billions of Asian people) are also going more and more connected… And that's without even considering embedded devices!
FYI: http://www.potaroo.net/tools/ipv4/
Even without talking about really connecting to IPv6, it *is* time to start implementing it!
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Those ISPs who deploy IPV6 natively on their networks make vista users targets (since its not enabled by default on previous win versions).
Of course no one gonna scan v6 blocks but what if they give them a v6 reverse as well.
On my linux, bsd boxes I was experimenting with v6 when it was so called 'hot', now it seems no one cares about it anymore. IP6tables rules can look ungly when you start blocking or allowing certain services from dedicated ips which have no dns. For sysadmins this can be a real hell in the future.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message ]
/MBL
[ Parent | Reply to this comment ]