|
Firewall question
![[ca]](/s/countries/ca.gif) Carmen Sandiego on Thursday, 01 December 2011 23:08:43
Greetings,
I'm just dipping my toe into IPV6. I'm an experienced Linux and UNIX administrator but have never worked with IPV6 before. I'd like to set up a static tunnel a Debian 6 host. The host is a running PPPoe Internet connection with a static IP (v4). The firewall denies inbound and outbound traffic. I'm trying to understand how alter the firewall before I setup a tunnel. I think it will look something like this:
# inbound
# IPV6 tunnel
$IPTABLES -A in -i sixxs -p 41 -s $POP -j ACCEPT
/usr/sbin/ip6tables -p icmp6 --icmp-type 0 -i sixxs -s $POP -j ACCEPT
# outbound
# IPV6 tunnel
$IPTABLES -A out -o sixxs -p tcp -d 94.75.219.73,213.204.193.2 --dport 3874 -j ACCEPT
$IPTABLES -A out -o sixxs -p udp -d $POP --dport 3740
$IPTABLES -A out -o sixxs -p 41 -d $POP -j ACCEPT
$POP would be the remote tunnel end point IPV4 address. Sixxs is the interface where the tunnel terminates on the local host. Are these rules correct?
Also, once the tunnel is up will I also need ip6tables rules to govern tunnel traffic?
Firewall question
I'd like to set up a static tunnel a Debian 6 host.
See Linux - Debian for doing that, which thus means you don't need AICCU.
# inbound # IPV6 tunnel $IPTABLES -A in -i sixxs -p 41 -s $POP -j ACCEPT
That is for proto-41 thus you will need that.
Do also make sure that you are not tracking proto41 packets as per the FAQ: Connection Tracker item.
/usr/sbin/ip6tables -p icmp6 --icmp-type 0 -i sixxs -s $POP -j ACCEPT
You really want to add a lot more ICMP than that as otherwise you end up getting stomped in a ICMP blackhole. As such, read up on what ICMP actually is used for, or just accept packets for it.
Note for instance that "ICMPv6 Packet Too Big" packets can come from anywhere on the Internet and there are a number of other very useful ICMP messages. See also RFC4890 if you are really inclined to filter every single bit.
# outbound > # IPV6 tunnel
> $IPTABLES -A out -o sixxs -p tcp -d 94.75.219.73,213.204.193.2 --dport 3874 -j ACCEPT
Looks like you are trying to filter TIC traffic towards tic.sixxs.net, which is a DNS label so that we can change them when neede, as you hard code IP addresses there though this will break if we would.
Fortunately, as you are using a static tunnel, you don't need TIC and thus can ignore this.
Note also that it does not seem you have an allow rule for inbound traffic if you would have this.
Or do you do add an established rule later, which would completely defeat closing your firewall this way.
$IPTABLES -A out -o sixxs -p udp -d $POP --dport 3740
Port 3740 is AYIYA, you don't need that for proto-41 tunnels.
$IPTABLES -A out -o sixxs -p 41 -d $POP -j ACCEPT
That is proto-41, that is the one you need.
Also, once the tunnel is up will I also need ip6tables rules to govern tunnel traffic?
You likely mean to firewall the traffic that comes through the tunnel. If you want to firewall that, then yes.
And when you do want to have this default DROP behavior, do make sure that you have a LOG rule which logs what is being dropped and do read those logs as you will be in for a lot of surprises.
But instead of only allowing packets that you think are right, a better idea is to have nothing running that can actually generate packets.... but YMMV and it is your network that you are breaking/making difficult to use properly.
Firewall question
![[ch]](/s/countries/ch.gif) Shadow Hawkins on Friday, 02 December 2011 14:48:31
Hi Neil,
I have posted my linux firewall script a few months ago for easy reference.
My setup for IPv4 is different to yours as I use AICCU and you don't (as Jeroen has pointed out).
For IPv6 firewalling, your setup is similar to mine. I decided to let ICMPv6 to pass freely (because there area lot of ICMPv6 messages you absolutely need for proper working and I prefer simplicity) and limited TCP/UDP traffic only to be outbound (or related)
Nicolas
|
on Friday, 02 December 2011 00:31:03
Posting is only allowed when you are