|
ipv6, radv and security
![[de]](/s/countries/de.gif) Shadow Hawkins on Tuesday, 18 October 2011 23:01:42
Hi there,
I played a little bit with several router configurations.
a) M0n0wall -works like a charm. Maybe like Sixxs a Swiss based product. You really do a great job!
b) Asus RT16-N (DD-WRT build 19664), tricky to get all the necessary IPv6 bits and bites from OpenWRT. But at least I got it up&running including ip6tables!
c) Following a configuration already described in Germans famous c't (by Heise).
IPv6-Zugang frs LAN nachrsten, Reiko Kaps.
I use a DIR-300 in the local LAN, again pretty easy after installing OpenWRT on DIR-300 A1.
Main Router is a IPv4 only router and IPv6 is deployed via LAN switch and WiFi.
My concern and questions is do I now feed all my WAN neihgborhood (Cable provider) which may have IPv6 enabled by default (i.e. WIN7) via my wan port with IPv6? Cause it is so easy transfered via a IPv4 only router per WiFi. And there is no IPv6 ready firewall on the WAN router?
I'll build a test scenario next weekend to proof that.
Another proof will be to build an OpenBSD based IPv6 router. I'm quite sure this will also work like a charm ;->
Regards
Thomas
ipv6, radv and security
a) M0n0wall -works like a charm. Maybe like Sixxs a Swiss based product. You really do a great job!
SixXS is originally Dutch, but through coincidences both Pim and me ended up moving here ;)
Main Router is a IPv4 only router and IPv6 is deployed via LAN switch and WiFi.
What is this "Main Router" for a device and why can't it do IPv6?
My concern and questions is do I now feed all my WAN neihgborhood (Cable provider) which may have IPv6 enabled by default (i.e. WIN7) via my wan port with IPv6? Cause it is so easy transfered via a IPv4 only router per WiFi. And there is no IPv6 ready firewall on the WAN router?
WAN == Wide Area Network, which normally is "The Internet" (or a company VPN with remote locations).
You really do not want to provide IPv6 to them.
I guess I don't completely understand your sentence though, can you rephrase it?
ipv6, radv and security
Shadow Hawkins on Thursday, 20 October 2011 22:13:23
This is my current configuration.
2001:db8:ad9::2
radv: 2001:db8:ad9::/64
(....) DIR-600 DIR-300
( ) ______ ______
( ) | |<===================>| |
( ) ___________ | | | |
( internet )====> |Cable Modem|=====>| ipv4 | | ipv6 |
( ) | ___________ | | | |
( ) | dhcp | |=====>|LAN ) | |
( ) | ______ (10.x.1.0/24) ______
(....) |
| (2001:db8:ad9::/64)
| SIXXS Tunnel
(....) |
( ) |
( ) |
( ) |
( Ipv6 )====>|
( )
( )
( )
(....)
Tunnelendpoint is the WAN port of the DIR-300 using a fixed LAN IP address.
As described
Using a DIR-600 with DD-WRT (no IPv6 support).
IPv6 is propagated into LAN and WLAN of the DIR-600.
My quesition do I propagate IPv6 via DIR-600 into the Cable subnet?
I'm using ip6tables on the DIR-300, but there is only ip4tables in the DIR-600.
I expect that everything may work via the built in DIR-600 switch, I don't expect that ipv6 will be propagated through WLAN. Mayby it's a hidden feature on DD-WRT's linux kernel. If so maybee I propagate now ipv6 into my cable providers WAN subnet?
I'm involved in IT security and IMHO ipv6 firewall is something we have to consider seriously.
I'll built a testlab over the weekend.
Happy ipv6'ing
Thomas
ipv6, radv and security
"radv: 2001:db8:ad9::/64"
If that is supposed to be the tunnel prefix, then it won't work. You need a subnet (either a /56 or /48) and take a /64 out of that to announce on the local network.
My quesition do I propagate IPv6 via DIR-600 into the Cable subnet?
What do you mean with 'propagate'?
If that DIR-600 does not support IPv6 it won't be able to do anything with it as it is acting as a NAT and will thus happily ignore IPv6 packets.
I'm involved in IT security and IMHO ipv6 firewall is something we have to consider seriously.
In the above picture you would deploy the firewall on the DIR-300 as that is the router handling IPv6 packets. The DIR-600 has nothing to do with IPv6.
ipv6, radvd and security
Shadow Hawkins on Thursday, 27 October 2011 19:17:49
Thanks fur updating my ASCII paintings. You are correct IPv6 don't work behind the nat'ed WAN interface (on the hot=Internet site of the router).
I was just wondering why IPv6 worked perfect via ma wireless connection on a DIR-600 / DI-524 (simply switched). Both routers haven't a clue about IPv6. I expected it on the switched LAN ports but never on the WIFI connection. And for that reason I want to proof it.
The only issue to run IPv6 on i.e. a DIR-300 (A1) or on an RT-N16 is the fact that installing OpenWRT on a DIR-300 is cumbersome for non-experienced users (I'll tested DD-WRT on that device before!). And the DD-WRT implementation is still much more complex, you have to laverage from OpenWRT.
At least my preferred solution is still M0n0wall (v1.33 on ALIX/WRAP) or finally
OpenBSD. When it come to security either M0n0wall worked out of the box and OpenBSD pf is your friend.
Thomas
ipv6, radvd and security
I was just wondering why IPv6 worked perfect via ma wireless connection on a DIR-600 / DI-524 (simply switched).
As long as they switch full Ethernet and properly support multicast (on the Ethernet level), then all should be fine. (there are some switches in existence that don't handle multicast properly which thus automatically breaks IPv6)
ipv6, radv and security
Shadow Hawkins on Thursday, 20 October 2011 20:31:10
Looks lik that my ASCII pinting shrinked ;-<
ipv6, radv and security
That is why there is this [ code ] option then the font is of a monospace type instead of the variable one that is normally used on websites.
I've applied it so that the ASCII is visible again and fixed it up quite a bit as it was battered in several places + made it 2001:db8:/32 address space, documentation prefixes are there for a reason.
ipv6, radv and security
![[at]](/s/countries/at.gif) Shadow Hawkins on Tuesday, 01 November 2011 17:30:08
Hello Thomas:
b) Asus RT16-N (DD-WRT build 19664), tricky to get all the necessary IPv6 bits and bites from OpenWRT. But at least I got it up&running including ip6tables!
Can you send me your ip6tables setup for DD-WRT/OpenWRT please. I still have troubles with this on my WRTG54L running OpenWRT.
Gru aus Wien
Hannes
ipv6, radv and security
As ip(6)tables is a generic Linux thing, you could also specify what kind of troubles you have including the current ruleset you are employing, as likely a lot of other people can help with that then.
ipv6, radv and security
Shadow Hawkins on Wednesday, 02 November 2011 10:44:44
Hello:
The generic Linux ip6tables stuff is working for me on another tunnelendpoint based on Debian Linux. There are also many FAQs in the web covering this topic.
I have troubles with the OpenWRT specific commands to setup ip6tables. None of the guides and configurations I found in OpenWRT or DD-WRT forums/FAQs work for me. The result is allways the same. After entering all commands the firewall blocks everything. It seems that I miss something very special or there is a general problem with the OpenWRT version I use due to kernel 2.4.
Backfire (r24038)
Linux OpenWrt 2.4.37.9 #3 Fri Nov 19 21:09:13 PST 2010 mips GNU/Linux
So my hope is that Thomas can share his working ip6tables with me. Maybe it works for me too.
Right now I have no firewall on OpenWRT and hope that Windos firewall has no IPv6 bugs.
bestr regards
Hannes
ipv6, radv and security
2.4 and IPv6 was never a nice combination and it does not do a lot of IPv6 firewalling that is likely wanted (eg connection tracking), I would suggest switching to 2.6 where possible.
Of course, you could check 'ip6tables -v --list -n --line-numbers' to see which rules are really active on the host.
Right now I have no firewall on OpenWRT and hope that Windos firewall has no IPv6 bugs.
Putting the firewall on the host has an advantage as the local host has a lot more information than an intermediary firewall.
Firewalls are not the end of it all though, as you are only filtering out stuff you know you don't want. Better is it to make sure that nothing is listening on any addresses that you don't want listening.
But that of course all comes down to why one has a firewall.
ipv6, radv and security
Shadow Hawkins on Wednesday, 02 November 2011 15:05:42
Hello:
I'll try to get kernel 2.6 on my Linksys WRTG54L. I need to check if The OpenWRT with kernel 2.6 fits into the memory. (DD-WRT did not)
A firewall without working connection tracking is no fun. For now I blame this to be the cause of my problems.
My firewall philosophy for that small home LAN is to have the local hosts open and do not let unwanted traffic come into the network.
Hannes
ipv6, radvd and security
Shadow Hawkins on Wednesday, 09 November 2011 23:52:00
Hi Hannes,
no problem at all. Sorry was busy the last few days.
This is for OpenWRT (On DIR-300, but already proofed on Alix / Wrap).
If you use /etc/init.d/firewall it is important that you disable
the automatic ipv6 launch in the default firewall. Therefore keep
option disable_ipv6 1
in /etc/config/firewall. Otherwise ipv6 Options are enabled and these options didn't work. I haven't a clue why, cause I'm looking for the correct UCI configuration for OpenWRT.
Save this as your /etc/firewall.user script (change the IPV6 prefix to yours and check your lan device).
#!/bin/sh
# simple-ipv6-firewall
# (OpenWRT)
LO=lo
WAN=sixxs # for sixxs
LAN=eth0.2 # check your LAN device
PREFIX="2001:your:pref::/64"
# delete everything
ip6tables -F
ip6tables -X
# Allow anything on the local link
ip6tables -A INPUT -i $LO -j ACCEPT
ip6tables -A OUTPUT -o $LO -j ACCEPT
# Allow anything out on the internet
ip6tables -A OUTPUT -o $WAN -j ACCEPT
# Allow the localnet access us:
ip6tables -A INPUT -i $LAN -j ACCEPT
ip6tables -A OUTPUT -o $LAN -j ACCEPT
# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
# Allow ICMPv6 everywhere
ip6tables -I INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT
# See
# http://linuxtopia.org/online_books/network_administration_guides/Linux+IPv6-HO
#
# Block TCP on local hosts / router
ip6tables -I INPUT -i sixxs -p tcp --syn -j DROP
# Block TCP connection to IPV6 local lan
ip6tables -I FORWARD -i sixxs -p tcp --syn -j DROP
# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -i $LAN -o $WAN -s $PREFIX -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## SSH in
# ip6tables -A FORWARD -i $WAN -p tcp -d 2001:your:ipv6:local --dport 22
# log
#ip6tables -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
#ip6tables -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
#ip6tables -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"
# Default drops
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
You may launch it manually to test it. This is still beta but works fine on my OpenWRT. It also work on my DD-WRT but you have to import the modules manual and to install ip6tables etc... on an external jffs USB stick.
Hope that solve your issue.
Thomas
ipv6, radvd and security
Shadow Hawkins on Tuesday, 15 November 2011 22:27:34
Hallo Thomas:
Thank you, upgraded to /backfire/10.03.1-rc5/brcm47xx/. ip6tables work now. I use your script and everything looks good after quick tests. Need to do some more tests to be sure.
Only wlan is broken, but this is not a topic for this forum.
Danke, Hannes
|
![[ch]](/s/countries/ch.gif)
on Wednesday, 19 October 2011 09:03:32
Posting is only allowed when you are