Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: phuss on April 03, 2009, 03:29:35 PM

Title: ip6tables firewall script
Post by: phuss on April 03, 2009, 03:29:35 PM
Hello,
I want to fix a simple firewall to my IPv6 tunnel connection, so I wonder if this is script is enough ?
Will there be any problem with my tunnel. I really dont know if the public interface
should be my IPv4 interface (eth0) or my IPv6 tunnel interface "tunnelx".


#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="tunnelx"

$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X

#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP

# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

############# add your custom rules below ############
### open IPv6  port 22
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT

############ End custome rules ################

#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP




Thanks in advanced!

Title: Re: ip6tables firewall script
Post by: kriteknetworks on April 03, 2009, 04:16:05 PM
Try it and see.

Is there any services listening on ipv6 that you're blocking access to?

lsof -i6 to see
Title: Re: ip6tables firewall script
Post by: phuss on April 03, 2009, 11:53:14 PM
#lsof -i6
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd    2378 root    4u  IPv6   6374       TCP *:ssh (LISTEN)
smbd    2473 root   19u  IPv6   6564       TCP *:microsoft-ds (LISTEN)
smbd    2473 root   20u  IPv6   6566       TCP *:netbios-ssn (LISTEN)


When i run the firewall script i get those blocked by the online port scanner, so it seems to work ;)
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
Title: Re: ip6tables firewall script
Post by: phuss on April 04, 2009, 06:15:34 AM
Hmm now not able to connect to irc anymore when i running my new ip6tabels script.

15:10 -!- Irssi: Looking up ipv6.chat.freenode.net
15:10 -!- Irssi: Connecting to ipv6.chat.freenode.net [2001:1418:13:1::25] port 6667
15:10 -!- Irssi: Connection lost to ipv6.chat.freenode.net
15:10 -!- Irssi: Looking up irc.efnet.nl
15:10 -!- Irssi: Connecting to  [2001:7b8:3:3f:201:2ff:fef6:574e] port 6667


But i can ping the both irc servers. And when i disable the ip6table script i can login.

Any idea whats wrong my script?
 

Title: Re: ip6tables firewall script
Post by: kriteknetworks on April 05, 2009, 09:01:29 AM
You're not allowing port(s) used by irc is my guess. You really should be referring to the man page for ip(6)tables while looking at your firewall script, that way you'll know what each line means, and does.
Title: Re: ip6tables firewall script
Post by: snarked on April 05, 2009, 01:51:23 PM
When you eventually open port 22 (ssh), it's best not to make it world-reachable.  At least block the IP ranges assigned to continents other than the one that you're on.

As currently given, your firewall will allow locallly initiated sessions but not remote ones.  Certain applications may require both.