Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Blocking All Incoming Packets from WAN->LAN  (Read 5365 times)

wswartzendruber

  • Newbie
  • *
  • Posts: 33
Blocking All Incoming Packets from WAN->LAN
« on: January 21, 2011, 09:25:13 AM »

I have a Linksys WRT54G running OpenWrt.  I'm allowing all ICMPv6 to and from the WAN interface, but am blocking all packets from WAN to LAN that aren't part of an established connection or somehow related (like reply is to echo).

I'm told on irc.freenode.net#ipv6 that I'm not supposed to touch ICMPv6 at all, and that it needs to be unrestricted.  On the other hand, RFC4890 tells me that ICMPv6 should be filtered somewhat.

Here are my ip6tables:

Code: [Select]
#!/bin/sh /etc/rc.common
# Copyright (C) 2008 OpenWrt.org

START=46

# Variables
IPTABLES='/usr/sbin/ip6tables'
IF_LO='lo'
IF_LAN='br-lan'
IF_WAN='henet0'
IP_LAN='2001:470:1f05:1698::1'
IP_WAN='2001:470:1f04:1698::2'
NETMASK_LAN='2001:470:1f05:1698::/64'

start()

# Setup some anal defaults
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# Global input rules
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Global output rules
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Global forwarding rules
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Input/output rules for loopback
$IPTABLES -A INPUT -i $IF_LO -s ::1 -d ::1 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_LO -s ::1 -d ::1 -j ACCEPT

# Inbound LAN interface
$IPTABLES -A INPUT -i $IF_LAN -p icmpv6 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LAN -s $NETMASK_LAN -d $IP_LAN -j ACCEPT

# Inbound WAN interface
$IPTABLES -A INPUT -i $IF_WAN -s ::0/128 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::1/128 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::ffff:0:0/96 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::0/96 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s fe80::/10 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s fc00::/7 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s 2001:db8::/32 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s 2001:10::/28 -j DROP
$IPTABLES -A INPUT -i $IF_WAN ! -d $IP_WAN -j DROP
$IPTABLES -A INPUT -i $IF_WAN -p icmpv6 -j ACCEPT
$IPTABLES -A INPUT -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Outbound LAN interface
$IPTABLES -A OUTPUT -o $IF_LAN -p icmpv6 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_LAN -s $IP_LAN -d $NETMASK_LAN -j ACCEPT

# Outbound WAN interface
$IPTABLES -A OUTPUT -o $IF_WAN ! -s $IP_WAN -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/128 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::1/128 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::ffff:0:0/96 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/96 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d fe80::/10 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d fc00::/7 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:db8::/32 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:10::/28 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -j ACCEPT

# Forwarding rules for inbound global
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/128 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::1/128 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::ffff:0:0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fe80::/10 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fc00::/7 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:db8::/32 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:10::/28 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN ! -d $NETMASK_LAN -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forwarding rules for outbound global
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/128 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::1/128 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::ffff:0:0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fe80::/10 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fc00::/7 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:db8::/32 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:10::/28 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN ! -s $NETMASK_LAN -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -j ACCEPT
}

stop()
{
# Reset all tables.
$IPTABLES -F
$IPTABLES -t raw -F
$IPTABLES -t raw -X
$IPTABLES -X

# Allow all traffic.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}

I would appreciate any commentary I can get.
« Last Edit: January 21, 2011, 09:35:26 AM by wswartzendruber »
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: Blocking All Incoming Packets from WAN->LAN
« Reply #1 on: January 21, 2011, 03:43:03 PM »

Unless I missed something, it looks like all ICMPv6 is filtered for the FORWARD chain, so no internal hosts will be able to do ICMPv6 w/ outside hosts unless the state tracking allows it.
Logged

wswartzendruber

  • Newbie
  • *
  • Posts: 33
Re: Blocking All Incoming Packets from WAN->LAN
« Reply #2 on: January 21, 2011, 09:31:02 PM »

Outbound ICMPv6 is allowed.  Connection tracking seems to be allowing ECHO REPLY back in when ECHO REQUEST is sent.
Logged

jrocha

  • Network Architect
  • Jr. Member
  • **
  • Posts: 66
Re: Blocking All Incoming Packets from WAN->LAN
« Reply #3 on: January 24, 2011, 05:50:00 PM »

I generally recommend not blocking ICMPv6 at all (as much of it is required for proper IPv6 transit), but do recommend putting limits on it. For example, with iptables:

Code: [Select]
ip6tables -A INPUT   -j ACCEPT  -p ipv6-icmp --match limit --limit 50/minute
Logged

antillie

  • Full Member
  • ***
  • Posts: 104
Re: Blocking All Incoming Packets from WAN->LAN
« Reply #4 on: January 24, 2011, 10:58:26 PM »

I agree. ICMPv6 is critical to the proper operation of an IPv6 network and IPv6 inter network communication and transit. Filtering it out will only cause problems. Especially MTU related problems as much of the current IPv6 internet is going through tunnels over IPv4 and ICMPv6 is needed for path MTU discovery.

Blocking ICMP is IPv4 thinking. IPv6 is a different ball game all together.

Besides, when your local subnet contains 2^64 addresses a ping sweep just isn't practical. ;)
Logged