IPv6 Firewall: Penggunaan
Cek untuk Dukungan
Load module, jika sudah di compil
# modprobe ip6_tables
Cek untuk kemampuan
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support 'ip6tables' firewalling (IPv6)!"
Belajar Mengunakan ip6tables
Lihat Semua Entri IPv6 netfilter
Pendek
# ip6tables -L
Panjang
# ip6tables -n -v --line-numbers -L
Lihat filter tertentu
# ip6tables -n -v --line-numbers -L INPUT
Masukan aturan log rule pada input filter dengan opsi tertentu
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" --log-level 7
Masukan aturan drop pada input filter
# ip6tables --table filter --append INPUT -j DROP
Buang aturan berdasarkan nomor
# ip6tables --table filter --delete INPUT 1
Aktifkan connection tracking
Sejak kernel versi 2.6.20 IPv6 connection tracking sudah didukung dengan baik dan sebaiknya digunakan daripada menggunakan rules filter stateless
# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ijinkan ICMPv6
Menggunakan kernel lama (kernel 2.4.5 tidak di patch dan iptables-1.2.2) kita tidak dapat menspesifikasi tipe
Terima ICMPv6 yang masuk melalui tunnel
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
Terima ICMPv6 yang keluar melalui tunnel
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Kernel baru memungkinkan untuk mengijinkan tipe ICMPv6:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
Rate-limiting
Karena kemungkinan bisa saja terjadi badai ICMPv6, kita perlu menggunakan rate limiting paling tidak untuk ICMPv6. Selain itu, kita perlu menambahkan rule rate limiting untuk logging supaya tidak ada serangan DoS terhadap syslog maupun partisi log. Contoh dari rate limiting ICMPv6 adalah sebagai berikut:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request ¬ -j ACCEPT --match limit --limit 30/minute
Ijinkan SSH yang masuk
Berikut adalah contoh rule yang mengijinkan sambungan masuk SSH dari address IPv6 tertentu.
Ijin SSH masuk dari 2001:0db8:100::1/128
# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535 --dport 22 -j ACCEPT
Ijin responds paket (tidak di perlukan kalau connection tracking digunakan)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 --sport 22 ! --syn -j ACCEPT
AKtifkan tunnel IPv6-in-IPv4
Untuk menerima paket tunnel IPv6-in-IPv4 , kita perlu menambahkan rule di firewall IPv4 terhadap paket tersebut, contoh
Menerima masukan IPv6-in-IPv4 di interface ppp0
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
Mengijinkan keluaran IPv6-in-IPv4 ke interface ppp0
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
Jika kita hanya mempunyai statik tunnel, kita dapat menentukan address IPv4 tersebut, seperti,
Menerima masukan IPv6-in-IPv4 di interface ppp0 dari tunnel endpoint 192.0.2.2
# iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT
Mengijinkan keluaran IPv6-in-IPv4 di interface ppp0 dari tunnel endpoint 1.2.3.4
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT
Proteksi terhadap permohonan sambungan masuk TCP
SANGAT DI SARANKAN! Untuk keamanan kita sebaiknya menambahkan aturan yang memblok permohonan masuk sambungan TCP. Pakai opsi "-i" , jika nama interface lain digunakan.
Blok permohonan sambungan masuk TCP ke mesin ini
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
Blok permohonan sambungan masuk TCP ke mesin di belakangan router
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
Mungkin aturan-aturan ini harus di letakan di bawah yang lain, anda perlu memikirkan tentang itu. Cara yang lebih baik adalah membuat script yang menjalankan aturan secara tertentu.
Proteksi terhadap sambungan masuk UDP
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
Block incoming UDP packets which cannot be responses of outgoing requests of this host
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
Contoh
Simple example for Fedora
Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed.
File: /etc/sysconfig/ip6tables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT
For completeness also the IPv4 configuration is shown here:
File: /etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Usage:
Create/modify the configuration files
Activate IPv4 & IPv6 firewalling
# service iptables start # service ip6tables start
Enable automatic start after reboot
# chkconfig iptables on # chkconfig ip6tables on
Contoh Yang Lebih Kompleks
Kalimat berkut menunjukan sebuah contoh yang lebih sophisticated tapi masih tetap filter stateless.
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
¬ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * ::/0
¬ 2001:0db8:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
¬ 2001:0db8:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0