• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Configure iptables

Started by abpni, August 29, 2010, 03:17:58 AM

Previous topic - Next topic

abpni

Hi Everyone,

I'm trying to use tunnelbroker on an Ubuntu 10.04 endpoint and trying to use iptables to secure the box.

In my iptables config, I have the following in my upstream firewall (which is separate from the ipv6 endpoint). The rules below are for my ipv4 interface:

Incoming chain (i.e. ipv4 traffic going to the endpoint):
iptables -I ipv6-gw_in -p icmp -j ACCEPT
iptables -I ipv6-gw_in -p 47 -j ACCEPT
iptables -I ipv6-gw_in -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I ipv6-gw_in -p tcp --dport 22 -j ACCEPT

Outgoing chain (i.e. ipv4 traffic leaving the endpoint):
iptables -I ipv6-gw_out -j ACCEPT

The iptables rules on the actual endpoint is set to allow all.

I use the following script to start the tunnel on the Ubuntu endpoint:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local xx.xx.xx.xx ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f08:dc5::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

What is happening at the minute, is that if the endpoint creates the connection, everything works fine for a few seconds (minutes?). However after this short time, no external machine can ping the ipv6 address. This reminds me of a NAT issue, however my ipv4 interface is using a public static IP address.

Any ideas?

Many Thanks

jimb

6in4 is proto 41, not proto 47 (GRE).

snarked

Quoteiptables -I ipv6-gw_in -p tcp --dport 22 -j ACCEPT
Very dangerous.  Consider "port-knocking"* with a timer based on the "-m recent" function if SSH must be open to the world.  Otherwise, at least restrict the source address.

* - Note:  If the firewall machine protects more than one IP address, there is no requirement that the knocking port be assigned to the same IP as long as it's among the available IPs on the [virtual] network routed to the firewall box.  It also need not be restricted to TCP or UDP; other protocols could be trapped for.  Some people install a double knock, where the first opens up a second port, and the second port opens up the SSH port (which also need not be port 22 even though that is the IANA assigned #).

LuckyMan

On the Ubuntu 10.04 IPv6 is already compiled into kernel, no need to do: "modprobe IPv6"