Difference between revisions of "IPv6 Firewall: Penggunaan"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | 18.3. Usage | + | ==18.3. Usage== |
| − | 18.3.1. Check for support | + | |
| + | ===18.3.1. Check for support=== | ||
Load module, if so compiled | Load module, if so compiled | ||
| Line 11: | Line 12: | ||
¬ 'ip6tables' firewalling (IPv6)!" | ¬ 'ip6tables' firewalling (IPv6)!" | ||
| − | 18.3.2. Learn how to use ip6tables | + | ===18.3.2. Learn how to use ip6tables=== |
| − | 18.3.2.1. List all IPv6 netfilter entries | + | |
| + | ====18.3.2.1. List all IPv6 netfilter entries==== | ||
| − | + | Short | |
# ip6tables -L | # ip6tables -L | ||
| − | + | Extended | |
# ip6tables -n -v --line-numbers -L | # ip6tables -n -v --line-numbers -L | ||
| − | 18.3.2.2. List specified filter | + | ====18.3.2.2. List specified filter==== |
# ip6tables -n -v --line-numbers -L INPUT | # ip6tables -n -v --line-numbers -L INPUT | ||
| − | 18.3.2.3. Insert a log rule at the input filter with options | + | ====18.3.2.3. Insert a log rule at the input filter with options==== |
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" | # ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" | ||
¬ --log-level 7 | ¬ --log-level 7 | ||
| − | 18.3.2.4. Insert a drop rule at the input filter | + | ====18.3.2.4. Insert a drop rule at the input filter==== |
# ip6tables --table filter --append INPUT -j DROP | # ip6tables --table filter --append INPUT -j DROP | ||
| − | 18.3.2.5. Delete a rule by number | + | ====18.3.2.5. Delete a rule by number==== |
# ip6tables --table filter --delete INPUT 1 | # ip6tables --table filter --delete INPUT 1 | ||
| − | 18.3.2.6. Enable connection tracking | + | ====18.3.2.6. Enable connection tracking==== |
Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules. | Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules. | ||
| Line 45: | Line 47: | ||
# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | # ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| − | 18.3.2.7. Allow ICMPv6 | + | ====18.3.2.7. Allow ICMPv6==== |
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified | Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified | ||
| − | + | Accept incoming ICMPv6 through tunnels | |
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT | # ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT | ||
| − | + | Allow outgoing ICMPv6 through tunnels | |
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT | # ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT | ||
| Line 61: | Line 63: | ||
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT | # ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT | ||
| − | 18.3.2.8. Rate-limiting | + | ====18.3.2.8. Rate-limiting==== |
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like: | Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like: | ||
| Line 68: | Line 70: | ||
¬ -j ACCEPT --match limit --limit 30/minute | ¬ -j ACCEPT --match limit --limit 30/minute | ||
| − | 18.3.2.9. Allow incoming SSH | + | ====18.3.2.9. Allow incoming SSH==== |
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address | Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address | ||
| − | + | Allow incoming SSH from 2001:0db8:100::1/128 | |
# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535 | # ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535 | ||
¬ --dport 22 -j ACCEPT | ¬ --dport 22 -j ACCEPT | ||
| − | + | Allow response packets (no longer needed if connection tracking is used!) | |
# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 | # ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 | ||
¬ --sport 22 ! --syn -j ACCEPT | ¬ --sport 22 ! --syn -j ACCEPT | ||
| − | 18.3.2.10. Enable tunneled IPv6-in-IPv4 | + | ====18.3.2.10. Enable tunneled IPv6-in-IPv4==== |
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example | To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example | ||
| − | + | Accept incoming IPv6-in-IPv4 on interface ppp0 | |
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT | # iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT | ||
| − | + | Allow outgoing IPv6-in-IPv4 to interface ppp0 | |
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT | # iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT | ||
| Line 96: | Line 98: | ||
If you have only a static tunnel, you can specify the IPv4 addresses, too, like | If you have only a static tunnel, you can specify the IPv4 addresses, too, like | ||
| − | + | Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 192.0.2.2 | |
# iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT | # iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT | ||
| − | + | Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4 | |
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT | # iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT | ||
| − | 18.3.2.11. Protection against incoming TCP connection requests | + | ====18.3.2.11. Protection against incoming TCP connection requests==== |
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! | VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! | ||
| − | + | Block incoming TCP connection requests to this host | |
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP | # ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP | ||
| − | + | Block incoming TCP connection requests to hosts behind this router | |
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP | # ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP | ||
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. | Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. | ||
| − | 18.3.2.12. Protection against incoming UDP connection requests | + | |
| + | ====18.3.2.12. Protection against incoming UDP connection requests==== | ||
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: | ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: | ||
| − | + | Block incoming UDP packets which cannot be responses of outgoing requests of this host | |
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP | # ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP | ||
| − | + | Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router | |
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP | # ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP | ||
| − | 18.3.3. Examples | + | ===18.3.3. Examples=== |
| − | 18.3.3.1. Simple example for Fedora | + | |
| + | ====18.3.3.1. Simple example for Fedora==== | ||
Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed. | Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed. | ||
Revision as of 10:22, 9 July 2013
18.3. Usage
18.3.1. Check for support
Load module, if so compiled
# modprobe ip6_tables
Check for capability
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support ¬ 'ip6tables' firewalling (IPv6)!"
18.3.2. Learn how to use ip6tables
18.3.2.1. List all IPv6 netfilter entries
Short
# ip6tables -L
Extended
# ip6tables -n -v --line-numbers -L
18.3.2.2. List specified filter
# ip6tables -n -v --line-numbers -L INPUT
18.3.2.3. Insert a log rule at the input filter with options
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" ¬ --log-level 7
18.3.2.4. Insert a drop rule at the input filter
# ip6tables --table filter --append INPUT -j DROP
18.3.2.5. Delete a rule by number
# ip6tables --table filter --delete INPUT 1
18.3.2.6. Enable connection tracking
Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules.
# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
18.3.2.7. Allow ICMPv6
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
Accept incoming ICMPv6 through tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
Allow outgoing ICMPv6 through tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
18.3.2.8. Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request ¬ -j ACCEPT --match limit --limit 30/minute
18.3.2.9. Allow incoming SSH
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
Allow incoming SSH from 2001:0db8:100::1/128
# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535 ¬ --dport 22 -j ACCEPT
Allow response packets (no longer needed if connection tracking is used!)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 ¬ --sport 22 ! --syn -j ACCEPT
18.3.2.10. Enable tunneled IPv6-in-IPv4
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
Accept incoming IPv6-in-IPv4 on interface ppp0
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
Allow outgoing IPv6-in-IPv4 to interface ppp0
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 192.0.2.2
# iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT
Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT
18.3.2.11. Protection against incoming TCP connection requests
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
Block incoming TCP connection requests to this host
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
Block incoming TCP connection requests to hosts behind this router
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
18.3.2.12. Protection against incoming UDP connection requests
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
Block incoming UDP packets which cannot be responses of outgoing requests of this host
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
18.3.3. Examples
18.3.3.1. Simple example for Fedora
Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed.
File: /etc/sysconfig/ip6tables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT
For completeness also the IPv4 configuration is shown here:
File: /etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Usage:
Create/modify the configuration files
Activate IPv4 & IPv6 firewalling
# service iptables start # service ip6tables start
Enable automatic start after reboot
# chkconfig iptables on # chkconfig ip6tables on
18.3.3.2. Sophisticated example
Following lines show a more sophisticated but still stateless filter setup as an example. Happy netfilter6 ruleset creation....
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
¬
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
¬ tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
¬ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT tcp * * ::/0
¬ 2001:0db8:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
¬ 2001:0db8:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
¬ udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
¬ tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
¬
0 0 ACCEPT all * * ::/0
¬ fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
¬ LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0