IPv6 Firewall Issues

I've been trying to implement a basic IPv6 firewall on my Linode without much luck. I've had a lot of experience creating firewalls using iptables for IPv4, but pretty much no experience with IPv6. To start, I basically copied what I've been using for years on IPv4 and switched it to ip6tables. The online testing tools I've been using (http://ipv6-test.com/validate.php) report that port 80 is still being blocked though. Any ideas why?

Any help would be appreciated.

ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport http
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport https
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport smtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssmtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport 587    # other smtp port
ip6tables -A INPUT -m state --state NEW -p udp -j ACCEPT --dport domain
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport domain
ip6tables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssh
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j ACCEPT
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:443
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:25
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:465
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:587
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                state NEW udp dpt:53
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:53
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                tcp dpt:113 reject-with tcp-reset
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:22
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                state RELATED,ESTABLISHED
    4   320 DROP       all      *      *       ::/0                 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0
root# 

4 Replies

@jsr:

Any ideas why?
Are you sure your web server is listen on IPv6?

You could add a log line to your rules to see what is being dropped to help debug.

Note your iptables counters only show 4 packets dropped and no other hits on the other rules. I'm betting your services are not configured to listen on your IPv6 address.

Travis

They are configured to listen on IPv6, at least the web server is.

The counters are pretty low, that is partly because I have been messing with it and the tables were flushed recently and partly because traffic is low since the main address does not have a DNS entry yet since I am still trying to get it working. I've updated the counters below, the 1 accepted packet on port 80 is from me just doing a telnet on the localhost.

I forgot about the log rules, I'll try adding that to see if it offers any additional clues.

root# netstat -an|grep tcp6
tcp6       0      0 :::587                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::465                  :::*                    LISTEN
tcp6       0      0 :::53                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::25                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
root#
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    80 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:443
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:25
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:465
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:587
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                state NEW udp dpt:53
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:53
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                tcp dpt:113 reject-with tcp-reset
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                state NEW tcp dpt:22
    5   368 ACCEPT     all      *      *       ::/0                 ::/0                state RELATED,ESTABLISHED
  201 20808 DROP       all      *      *       ::/0                 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   448 ACCEPT     all      *      *       ::/0                 ::/0
root#

(deleted suggestion about netstat; already done)

Also, it looks like you are implicitly dropping ICMPv6 traffic. This will break multiple things (stateless auto-configuration, neighbor discovery, path MTU discovery, …). Accepting all ICMPv6 traffic should be pretty safe, although more research could find a subset that will do the trick.

(This suggests that you're blocking all ICMP traffic for IPv4 as well, which is unwise, although not as catastrophic -- neighbor discovery is its own control protocol (ARP), and PMTUD isn't totally necessary if fragmentation is allowed. Still, not a recommended practice.)

I added ICMPv6 and that seems to have did the trick. I didn't realize ICMP was that important with IPv6.

I'm usually pretty stingy on allowing ICMP packets because I used to see way too much ping flooding any other non-sense back in the day. I know ping flooding probably isn't even common anymore, but old habits die hard. I do allow some IPv4 ICMPs, but have rate limits on them. I hadn't gotten to the point of figuring out any acceptable rate limits (or risk) on ICMPv6, so I had just been dropping all of those packets.

Thanks guys!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct