17.3.2. Learn how to use ip6tables
17.3.2.1. List all IPv6 netfilter entries
# ip6tables -n -v --line-numbers -L |
17.3.2.2. List specified filter
# ip6tables -n -v --line-numbers -L INPUT |
17.3.2.3. Insert a log rule at the input filter with options
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
� --log-level 7 |
17.3.2.4. Insert a drop rule at the input filter
# ip6tables --table filter --append INPUT -j DROP |
17.3.2.5. Delete a rule by number
# ip6tables --table filter --delete INPUT 1 |
17.3.2.6. Allow ICMPv6
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT |
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT |
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT |
17.3.2.7. Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request
� -j ACCEPT --match limit --limit 30/minute |
17.3.2.8. Allow incoming SSH
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535
� --dport 22 -j ACCEPT |
# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535
� --sport 22 ! --syn j ACCEPT |
17.3.2.9. Enable tunneled IPv6-in-IPv4
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT |
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT |
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT |
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT |
17.3.2.10. Protection against incoming TCP connection requests
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP |
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP |
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
17.3.2.11. Protection against incoming UDP connection requests
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP |
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP |
