You are not logged in.
- Topics: Active | Unanswered
#1 2016-08-10 04:07:41
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Super simple IPv6 firewall?
Howdy, just tonight I enabled IPv6 at home via Comcast Business and it works beautifully; I've got dhcpcd getting a /64 from Comcast, and I'm using dibbler to get LAN clients to autoconfigure and provide them RDNSS information. However, I'm trying to grasp firewalling for v6 and I am not getting it. Googling for ip6tables examples results in plenty of complicated stuff, with custom scripts and crazy stuff.
The setup is simply an Arch box with "net0" connected to the Comcast cablemodem and "net1" connected to my LAN switch. I want to permit any LAN host out via IPv6, and block anything new coming in to any LAN host, but allow SSH inbound to any LAN host.
What are the simplest ip6tables rules to accomplish this?
Thanks for any help!
Offline
#2 2016-08-10 13:53:19
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
After messing around with this for quite awhile, does anyone see anything wrong with:
# Generated by ip6tables-save v1.6.0 on Wed Aug 10 09:52:07 2016
*filter
:INPUT DROP [72:5760]
:FORWARD ACCEPT [696:118070]
:OUTPUT ACCEPT [69:4920]
-A INPUT -i lo -j ACCEPT
-A INPUT -i net1 -j ACCEPT
-A INPUT -i net0 -p ipv6-icmp -j ACCEPT
-A INPUT -i net0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Aug 10 09:52:07 2016
Offline
#3 2016-08-10 21:11:24
- branch
- Member
- Registered: 2014-03-16
- Posts: 209
Re: Super simple IPv6 firewall?
Other than it not being a firewall? This allows all packets from net0 to net1, leaving your LAN wide open. The INPUT chain only applies to packets addressed to the router itself. To filter packets between networks you need rules in the FORWARD chain.
Offline
#4 2016-08-11 20:10:18
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
Hence my confusion ... I read in several places that the INPUT chain also applies to forwarded traffic because INPUT is evaluated as soon as the packet comes in off the wire.
Thanks, I will tinker with it some more. I don't have a lot of experience using straight iptables on a gateway; previously I was using pfsense as my gateway box, but couldn't get IPv6 to work properly.
Offline
#5 2016-08-11 20:29:21
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
Ok, here's what I did:
# Generated by ip6tables-save v1.6.0 on Thu Aug 11 16:26:27 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:210]
:sshguard - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i net1 -j ACCEPT
-A INPUT -i net0 -p ipv6-icmp -j ACCEPT
-A INPUT -i net0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i net0 -j sshguard
-A INPUT -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i net1 -j ACCEPT
-A FORWARD -i net0 -p ipv6-icmp -j ACCEPT
-A FORWARD -i net0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Aug 11 16:26:27 2016
Anything wrong with this, or anything I should add? Is it ok to be dropping packets on the floor, or should I be returning an ICMP answer?
Offline
#6 2016-08-11 22:46:05
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,222
- Website
Re: Super simple IPv6 firewall?
Anything wrong with this, or anything I should add?
It's not 'optimal', but it's functional. Your 'sshguard' chain does nothing though -- not sure what the intention there was.
Is it ok to be dropping packets on the floor, or should I be returning an ICMP answer?
Perfectly fine to do either; I prefer to DROP generally.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#7 2016-08-11 22:46:55
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Super simple IPv6 firewall?
What is the point of your "dport 22" rule? Do you want it to forward to any IP address whatsoever, including back out to the Internet? If not, restrict it further.
Offline
#8 2016-08-12 02:49:48
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
It's not 'optimal', but it's functional. Your 'sshguard' chain does nothing though -- not sure what the intention there was.
sshguard is a separate process that scans syslog, etc. watching for failed login attempts. If it finds any after a configurable amount (say, 3 failed login attempts), it chucks the ip into the sshguard chain with a reject and then deletes it again after a configurable amount of time. Protects against brute forcing obviously, it's like fail2ban if you know that one...
Last edited by rklingsten (2016-08-12 02:53:48)
Offline
#9 2016-08-12 02:52:34
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
What is the point of your "dport 22" rule? Do you want it to forward to any IP address whatsoever, including back out to the Internet? If not, restrict it further.
The dport 22 on the INPUT chain is so I can ssh from outside to the gateway box, after the ip is checked by sshguard. The dport 22 on the FORWARD chain is so I can ssh to any of my boxes on the LAN, I have a couple. I also use sshguard on those as well as key based login only.
Offline
#10 2016-08-12 18:42:33
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Super simple IPv6 firewall?
So restrict the forwarding to just your LAN, rather than being an open SSH relay to the *whole Internet* 
It's so simple, it's daft not to.
Offline
#11 2016-08-12 19:18:33
- rklingsten
- Member
- Registered: 2009-07-31
- Posts: 29
Re: Super simple IPv6 firewall?
Oh, like this? :
-A FORWARD -i net0 -o net1 -p tcp -m tcp --dport 22 -j ACCEPT
Offline
#12 2016-08-12 19:30:16
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Super simple IPv6 firewall?
Yep 
Offline