Translating iptables rules to IPv6?
I'm using the iptables rules from the Linode library, and haven't needed to change anything so far.
Is there anything I need to do to use similar rules for IPv6 (and ip6tables)?
*filter
# Allow all loopback traffic and drop all traffic to 127/8 that doesn't use lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j DROP
# Accept all established inbound connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic.
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere.
# -A INPUT -p tcp --dport 80 -j ACCEPT
# -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ICMP.
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls.
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound traffic - default deny unless explicitly allowed policy.
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
From what I've read, it looks like I'd need to change 127.0.0.0/8 to ::1/128, and icmp to icmpv6.
Does that seem right, and is there anything I've missed?
Many thanks!
14 Replies
Out of curiosity, why block anything on the localhost? It's highly doubtful your Linode will attack itself without hacker interference (in which case, you're better off rebuilding anyways).
@sweh:
He's not blocking localhost; he's blocking traffic targeting 127/8 that does travel over the loopback network. This is likely to be externally spoofed traffic and so dropped.
Ok, so he's partly blocking localhost, albeit a localhost IP address that's generally not used (127.0.0.0). Since that IP address isn't used on most systems, I'm a bit confused as to how any traffic would use it to begin with – especially since the default policy for INPUT is DROP, and that only ESTABLISHED,RELATED and explicitly specified stuff is allowed.
@Piki:
@sweh:He's not blocking localhost; he's blocking traffic targeting 127/8 that does travel over the loopback network. This is likely to be externally spoofed traffic and so dropped.
Ok, so he's partly blocking localhost, albeit a localhost IP address that's generally not used (127.0.0.0). Since that IP address isn't used on most systems, I'm a bit confused as to how any traffic would use it to begin with – especially since the default policy for INPUT is DROP, and that only ESTABLISHED,RELATED and explicitly specified stuff is allowed.
Not quite. If I see any traffic to 127.0.0.1 that appears on eth0 then I know it's illegal and invalid traffic. Drop it. Now as to the utility of this rule? I'm not convinced. I've seen it in a few tutorials. I don't do it, myself
@sweh:
Not quite. If I see any traffic to 127.0.0.1 that appears on eth0 then I know it's illegal and invalid traffic. Drop it. Now as to the utility of this rule? I'm not convinced. I've seen it in a few tutorials. I don't do it, myself
:-)
If you assign 127.0.0.1 to eth0, it would be legal
However, this is highly unlikely to happen, regardless of whether we're talking 127.0.0.1 or 127.0.0.0. IMO it's pointless to assign any DROP rules for 127.* since hackers would first need to worm their way through whatever other ports and services first to utilitize it – something highly unlikely (though not impossible) with a well-configured and up-to-date system.
@Piki:
@sweh:Not quite. If I see any traffic to 127.0.0.1 that appears on eth0 then I know it's illegal and invalid traffic. Drop it. Now as to the utility of this rule? I'm not convinced. I've seen it in a few tutorials. I don't do it, myself
:-) If you assign 127.0.0.1 to eth0, it would be legal
:wink: However, this is highly unlikely to happen, regardless of whether we're talking 127.0.0.1 or 127.0.0.0. IMO it's pointless to assign any DROP rules for 127.* since hackers would first need to worm their way through whatever other ports and services first to utilitize it – something highly unlikely (though not impossible) with a well-configured and up-to-date system.
Spoofing the source address is trivially simple. Hackers do it all the time. UDP services (eg DNS servers) are particularly vulnerable to IP address spoofing. TCP services are harder 'cos the three-way handshake. What damage could spoofing localhost traffic cause? Off the top of my head, not sure. This rule may be unnecessary. As I said, I don't have it… but then I don't really have a firewall at all on my linode!
@sweh:
Spoofing the source address is trivially simple. Hackers do it all the time. UDP services (eg DNS servers) are particularly vulnerable to IP address spoofing. TCP services are harder 'cos the three-way handshake. What damage could spoofing localhost traffic cause? Off the top of my head, not sure. This rule may be unnecessary. As I said, I don't have it… but then I don't really have a firewall at all on my linode!
A spoofed address doesn't mean automagically mean entry through the firewall. Remember the ESTABLISHED,RELATED clause
Provided it does get through, the amount of damage depends on which services communicate on localhost.
As for your Linodes… good luck!
Firewalls are good if you have "untrusted" machines behind them (eg a corporate environment where anyone could start up a listening process on their own machine, or at home where you have older Windows instances). They're not so useful for a single instance run by a single person who has configured each port (and documented them) so he knows what is listening and where.
(I do, in fact, use iptables to rate-limit SSH connection attempts and spammer attempts; that's to stop noise in the logs more than for security).
Also to block incoming pings if, for instance, you get some %@$^ ticked off at you and he decides to set up a botnet. You know where I'm going with that, right?
That loopback rule is an interesting one. I'm not sure whether the kernel will actually accept packets to/from 127.x.x.x on eth0. If it will, then it seems like a useful rule since an attacker can spoof UDP traffic to services which only listen locally. If not, it does seem useless
Does anyone know for sure?
Cheers!
It wouldn't hurt to get a second opinion on that, however as I said, a well-configured and up-to-date machine shouldn't have much to worry about. Also well-documented as sweh suggested.
However if you have a service that's listening on all addreses but makes policy decisions based on the source address then the rule might be interesting. One scenario might be a DNS server which is authoratative for your domains but only allows recursive calls from localhost. Someone might be able to come up with a scenario in which this could be used to make you attack yourself (the typical "lookup ISC" won't work 'cos things will be cached after the first call).
is referring to IPv4 icmp.
for IPv6 use:
-A INPUT -p icmpv6 -j ACCEPT