• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to configure iptables to support IPv6 Tunnel Broker?

Started by liheyuan87, September 01, 2010, 10:24:13 PM

Previous topic - Next topic

liheyuan87

Hi,Everyone,

I have successfully obtain the IPv6 Tunnel and make it works on my server without iptables running.
Client with ipv6 can ping/ssh/browser the server very well.
When I start my iptables , it does't work.Client(have ipv6 address) can't ping or ssh through ipv6.

Can anyone tell me how to configure my iptables to support ipv6 tunnel?
I'm a beginner of iptables , so please write it down in details.
Any help would be appreciated.

Here is my tunnel configuration:
Quote
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 72.52.104.74 local 76.164.***.*** ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f04:10f9::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

Here is my iptables configuration:
Quote

# Generated by iptables-save v1.3.5 on Wed Sep  1 22:40:31 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [575:379396]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 72.52.104.74 -p ipv6 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -o heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 50000:50100 -j ACCEPT
COMMIT
# Completed on Wed Sep  1 22:40:31 2010

Can anyone tell me how to configure my iptables to support ipv6 tunnel?
I'm a beginner of iptables , so please write it down in details.
Thank you very much !

liheyuan87

Just add the following lines , it works.

-A RH-Firewall-1-INPUT -p 41 -j ACCEPT

Is it ok?
Is it safe?
Thanks a lot.

patrickdk

I would be much more concerned with the rules:
-A RH-Firewall-1-INPUT -i heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -o heipv6 -j ACCEPT

As those allow any ipv4 traffic at all, to come in and out of your tunnel. Now he probably won't pass ipv4 over the tunnel, but a network misconfig or something, and your whole network is exposed directly to the internet bypassing your firewall.


But, as for the -p 41 line, it has the same *safeness* as any of the following rules

-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 50000:50100 -j ACCEPT

efjeldstrom

Are you behind a router, or is your system directly connected to the Internet?  Since you are using tunneling for your IPv6, I'm guessing that you're behind a router (or NAT'ed): in that case, I wouldn't worry to much about the IPv4 iptables and stick to ip6tables for filtering.

This is my ip6tables configuration:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i ip6tun -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -i ip6tun -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -j ACCEPT

And my iptables configuration:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

xdjsvu

Hi, everyone.

When setting up tunnel I have a problem.

Ping my local ipv6 address 2001:470:xxx:xxx::2/64 is ok.
PING 2001:470:xxxx:xxx::2(2001:470:xxxx:xxx::2) 56 data bytes
64 bytes from 2001:470:xxxx:xxx::2: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 2001:470:xxxx:xxx::2: icmp_seq=2 ttl=64 time=0.040 ms

But no gateway ping. So the tunnel is not working

My network interface eth0 configured with two addresses. First is internal provider address, i go out with him on the Internet. Second address is external.

auto eth0
iface eth0 inet static
address 192.168.1.57
netmask 255.255.0.0
gateway 192.168.1.1
up ip a a 178.93.25.89/24 dev eth0


iptables rules: (default policy: drop)

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.57

$IPT -A INPUT -p 41 -d 178.93.25.89 -s 216.66.86.114 -j ACCEPT
$IPT -A OUTPUT -p 41 -d 216.66.86.114 -s 178.93.25.89 -j ACCEPT



ip6tables default policy to INPUT and OUTPUT is ACCEPT

lsmod:

ip6_tunnel             10518  0
tunnel6                 1872  1 ip6_tunnel
ip6table_mangle         3103  0
ip6table_filter         2384  1
ip6_tables             15107  2 ip6table_mangle,ip6table_filter
x_tables               12845  9 ipt_ULOG,ip6_tables,xt_connlimit,xt_HL,xt_iprange,xt_conntrack,xt_tcpudp,iptable_nat,ip_tables


route:

178.93.25.0   *               255.255.255.0   U     0      0        0 eth0
localnet        *               255.255.0.0     U     0      0        0 eth0
default         192.168.1.1   0.0.0.0         UG    0      0        0 eth0


ip -6 route ls

2001:470:xxxx:xxx::/64 via :: dev he-ipv6  proto kernel  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 via :: dev he-ipv6  proto kernel  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295


ifconfig:

he-ipv6   Link encap:IPv6-in-IPv4 
          inet6 addr: 2001:470:xxxx:xxx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:8645 (8.4 KiB)


he-ipv6 interface config

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address 2001:470:xxxx:xxx::2
        netmask 64
        gateway 2001:470:xxxx:xxx::1
        dns-nameservers 2001:470:20::2 74.82.42.42
        endpoint 216.66.86.114
        local 178.93.25.89
        ttl 255


OS: Debian stable

I think the problem in the iptables rules but I do not know where.
Endpoint connect to my external address?
Connection tcp?