Difference between revisions of "IPv6 Firewall: Penggunaan"

From OnnoWiki
Jump to navigation Jump to search
Line 1: Line 1:
 
 
==Cek untuk Dukungan==
 
==Cek untuk Dukungan==
  
Line 22: Line 21:
 
  # ip6tables -n -v --line-numbers -L  
 
  # ip6tables -n -v --line-numbers -L  
  
===List specified filter===
+
===Lihat filter tertentu===
  
 
  # ip6tables -n -v --line-numbers -L INPUT  
 
  # ip6tables -n -v --line-numbers -L INPUT  
  
===Insert a log rule at the input filter with options===
+
===Masukan aturan log rule pada input filter dengan opsi tertentu===
  
 
  # ip6tables --table filter --append INPUT  -j LOG --log-prefix "INPUT:" --log-level 7  
 
  # ip6tables --table filter --append INPUT  -j LOG --log-prefix "INPUT:" --log-level 7  
  
===Insert a drop rule at the input filter===
+
===Masukan aturan drop pada input filter===
  
 
  # ip6tables --table filter --append INPUT  -j DROP  
 
  # ip6tables --table filter --append INPUT  -j DROP  
  
===Delete a rule by number===
+
===Buang aturan berdasarkan nomor===
  
 
  # ip6tables --table filter --delete INPUT 1  
 
  # ip6tables --table filter --delete INPUT 1  
  
===Enable connection tracking===
+
===Aktifkan connection tracking===
  
 
Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules.
 
Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules.
Line 44: Line 43:
 
  # ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
  # ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
===Allow ICMPv6===
+
===Ijinkan ICMPv6===
  
 
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
 
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
Line 67: Line 66:
 
  ¬ -j ACCEPT --match limit --limit 30/minute
 
  ¬ -j ACCEPT --match limit --limit 30/minute
  
===Allow incoming SSH===
+
===Ijinkan SSH yang masuk===
  
 
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
 
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
Line 79: Line 78:
 
  # ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 --sport 22 ! --syn -j ACCEPT  
 
  # ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 --sport 22 ! --syn -j ACCEPT  
  
===Enable tunneled IPv6-in-IPv4===
+
===AKtifkan tunnel IPv6-in-IPv4===
  
 
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
 
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
Line 101: Line 100:
 
  # iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT  
 
  # iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT  
  
===Protection against incoming TCP connection requests===
+
===Proteksi terhadap permohonan sambungan masuk TCP===
  
 
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
 
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
Line 115: Line 114:
 
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
 
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
  
===Protection against incoming UDP connection requests===
+
===Proteksi terhadap sambungan masuk UDP===
  
 
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
 
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
Line 127: Line 126:
 
  # ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP  
 
  # ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP  
  
==Examples==
+
==Contoh==
  
 
===Simple example for Fedora===
 
===Simple example for Fedora===
Line 177: Line 176:
 
Usage:
 
Usage:
  
    Create/modify the configuration files
+
Create/modify the configuration files
  
    Activate IPv4 & IPv6 firewalling
+
Activate IPv4 & IPv6 firewalling
  
 
  # service iptables start
 
  # service iptables start
 
  # service ip6tables start
 
  # service ip6tables start
  
    Enable automatic start after reboot
+
Enable automatic start after reboot
  
 
  # chkconfig iptables on
 
  # chkconfig iptables on

Revision as of 11:01, 9 July 2013

Cek untuk Dukungan

Load module, jika sudah di compil

# modprobe ip6_tables 

Cek untuk kemampuan

# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support 'ip6tables' firewalling (IPv6)!" 

Belajar Mengunakan ip6tables

Lihat Semua Entri IPv6 netfilter

Pendek

# ip6tables -L 

Panjang

# ip6tables -n -v --line-numbers -L 

Lihat filter tertentu

# ip6tables -n -v --line-numbers -L INPUT 

Masukan aturan log rule pada input filter dengan opsi tertentu

# ip6tables --table filter --append INPUT  -j LOG --log-prefix "INPUT:" --log-level 7 

Masukan aturan drop pada input filter

# ip6tables --table filter --append INPUT  -j DROP 

Buang aturan berdasarkan nomor

# ip6tables --table filter --delete INPUT 1 

Aktifkan connection tracking

Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules.

# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ijinkan ICMPv6

Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified

Accept incoming ICMPv6 through tunnels

# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT 

Allow outgoing ICMPv6 through tunnels

# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT 

Newer kernels allow specifying of ICMPv6 types:

# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

Rate-limiting

Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:

# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request
¬ -j ACCEPT --match limit --limit 30/minute

Ijinkan SSH yang masuk

Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address

Allow incoming SSH from 2001:0db8:100::1/128

# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535 --dport 22 -j ACCEPT 

Allow response packets (no longer needed if connection tracking is used!)

# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535 --sport 22 ! --syn -j ACCEPT 

AKtifkan tunnel IPv6-in-IPv4

To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example

Accept incoming IPv6-in-IPv4 on interface ppp0

# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT 

Allow outgoing IPv6-in-IPv4 to interface ppp0

# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT 

If you have only a static tunnel, you can specify the IPv4 addresses, too, like

Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 192.0.2.2

# iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT 

Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4

# iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT 

Proteksi terhadap permohonan sambungan masuk TCP

VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!

Block incoming TCP connection requests to this host

# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP 

Block incoming TCP connection requests to hosts behind this router

# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP 

Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.

Proteksi terhadap sambungan masuk UDP

ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:

Block incoming UDP packets which cannot be responses of outgoing requests of this host

# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP 

Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router

# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP 

Contoh

Simple example for Fedora

Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed.

File: /etc/sysconfig/ip6tables

*filter :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT 

For completeness also the IPv4 configuration is shown here:

File: /etc/sysconfig/iptables

*filter :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT 

Usage:

Create/modify the configuration files

Activate IPv4 & IPv6 firewalling

# service iptables start
# service ip6tables start

Enable automatic start after reboot

# chkconfig iptables on
# chkconfig ip6tables on

18.3.3.2. Sophisticated example

Following lines show a more sophisticated but still stateless filter setup as an example. Happy netfilter6 ruleset creation....

# ip6tables -n -v -L 
Chain INPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
    0     0 extIN      all      sit+   *       ::/0                 ::/0 
    4   384 intIN      all      eth0   *       ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `INPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 int2ext    all      eth0   sit+    ::/0                 ::/0 
    0     0 ext2int    all      sit+   eth0    ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `FORWARD-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain OUTPUT (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 extOUT     all      *      sit+    ::/0                 ::/0 
    4   384 intOUT     all      *      eth0    ::/0                 ::/0 
    0     0 ACCEPT     all      *      *       ::1/128              ::1/128 
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `OUTPUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain ext2int (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `ext2int-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::1/128  ::/0       
¬        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     tcp      *      *       3ffe:400:100::2/128  ::/0       
¬        tcp spts:512:65535 dpt:22 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
¬        udp spts:1:65535 dpts:1024:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain extOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬  
    0     0 ACCEPT     tcp      *      *       ::/0                
¬ 2001:0db8:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     tcp      *      *       ::/0                
¬ 2001:0db8:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1024:65535 dpts:1:65535 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
¬        udp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `extOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain int2ext (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
¬        tcp spts:1024:65535 dpts:1:65535 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `int2ext:' 
    0     0 DROP       all      *      *       ::/0                 ::/0 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `int2ext-default:' 
    0     0 DROP       tcp      *      *       ::/0                 ::/0 
    0     0 DROP       udp      *      *       ::/0                 ::/0 
    0     0 DROP       all      *      *       ::/0                 ::/0 
 
Chain intIN (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     all      *      *       ::/0                
¬ fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
 
Chain intOUT (1 references) 
 pkts bytes target     prot opt in     out     source               destination
¬ 
    0     0 ACCEPT     all      *      *       ::/0                
¬ fe80::/ffc0:: 
    4   384 ACCEPT     all      *      *       ::/0                 ff02::/16 
    0     0 LOG        all      *      *       ::/0                 ::/0       
¬        LOG flags 0 level 7 prefix `intOUT-default:' 
    0     0 DROP       all      *      *       ::/0                 ::/0