• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Server firewall settings

Started by Dolphyn, August 18, 2016, 05:57:06 PM

Previous topic - Next topic

Dolphyn

I've recently set up a tunnel for a CentOS server and I thought it might be worth documenting two steps that were necessary before outsiders could connect to my new IP:

(1) iptables needs to allow "protocol 41" connections from HE's Server IPv4 address:
iptables -A INPUT -s xx.xx.xx.xx -p 41 -j ACCEPT

(2) ip6tables needs to allow any needed connections, for example
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

It took me a while to figure it out, so maybe this post will help someone.

Ashfolk

#1
those who are using nftables firewall in their server, they can add below rule/line in /etc/nftables.conf file:

ip protocol 41 ip saddr xx.xx.xx.xx accept

the xx.xx.xx.xx is tunnel broker service provider's endpoint-server's ipv4 address.

insert above rule inside the "inet" or "ip" tables/sections, or in both "inet" & "ip" sections.

if you want to be more specific, then:

ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept

the yy.yy.yy.yy is tunnel user's server computer's internet connection's public-side routable ipv4-address . (that is aka, your server's external IPv4-address).

EXTRA INFO:

here is a sample nftables.conf file:
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
# ... other sections ...
chain incoming {
type filter hook input priority 0; policy drop;

# Accept any localhost traffic:
iif lo accept

# ICMP handled 1st & to rate limit:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop

# ... For DNS NameServer/Authoritative Server, rate limit rules are here ...

# Accept traffic originated from us (established/related) from this computer:
ct state { established, related } accept

# Accept these ICMP & ICMPv6:
#  usually for initial server setup stage, when hardening server then remove whats not necessary:
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

# Accept IGMP:
ip protocol igmp accept

# Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 Tunnel:
ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept

# ip4-adrs of this server, used for all: dns/named/bind/53, sshd/5022, email-related-services, etc:
#   ( the IP-adrs yy.yy.yy.yy which is allotted by Server's ISP or VM/Server-Provider, should be set
#     as a static/fixed address, in Server's primary network-interface thru /etc/interfaces config file )
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } ip daddr yy.yy.yy.yy accept
udp dport { 53, 80, 443, 5022 } ip daddr yy.yy.yy.yy accept

# ip6-adrs N1 & N2 from HE IPv6 subnet, used for: dns/named/bind/53, email-related-services, etc:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept
udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept

# ip6-adrs N3 from HE subnet, used for: http/80, https/443, dns/unbound/53, etc:
tcp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept
udp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept

# ... other rules for other services that are running in this server ...

# count and drop any other traffic
counter drop
}

chain outgoing {
type filter hook output priority 0; policy accept;
}

chain forward {
type filter hook forward priority 0; policy drop;
}
}


table ip filter {
chain incoming {
type filter hook input priority 0; policy drop;

ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop

ct state { established, related } accept

ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

ip protocol igmp accept

ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept

ip daddr yy.yy.yy.yy tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } accept
ip daddr yy.yy.yy.yy udp dport { 53, 80, 443, 5022 } accept

# ... other IP, IPv4 related rules for other services that are running in this server ...

counter drop
}

chain FORWARD {
type filter hook forward priority 0; policy drop;
}

chain outgoing {
type filter hook output priority 0; policy accept;
}
}


table ip6 filter {
chain incoming {
type filter hook input priority 0; policy drop;

ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop

ct state { established, related } accept

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept

ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } accept
ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } udp dport { 53, 80, 443 } accept

ip6 daddr IPv6-Adrs-N3 tcp dport { 53, 80, 443 } accept
ip6 daddr IPv6-Adrs-N3 udp dport { 53, 80, 443 } accept

# ... other IPv6 rules for other services that are running in this server ...

counter drop
}

chain FORWARD {
type filter hook forward priority 0; policy drop;
}

chain outgoing {
type filter hook output priority 0; policy accept;
}
}