|
Need help with ip6tables rules
![[us]](/s/countries/us.gif) Carmen Sandiego on Sunday, 05 February 2012 16:56:18
Hello everyone - I am working on setting up a new server. One of the services it will run is Privoxy. I am having a problem getting Privoxy to forward IPv6 requests through the SIXXS tunnel. Through elimination I have determined that the problem is in the ip6tables rules. Can someone help me figure out what rules I need?
First, a few basic facts:
1) My old server runs Privoxy and works perfectly with IPv6 destinations. Note that the old server does NOT have any IPv6 forwarding configured on it. ip6tables is not running on the old server, which is CentOS 5.7.
2) My new server is running both Privoxy and aiccu/radvd on CentOS 6.2.
3) ping6 works correctly from both servers and from all workstations.
4) On any workstation, any operating system, any browser - if I configure the browser for either no proxy server or to use the old server as a proxy, then IPv6 sites work. It only fails when I configure the browser to use the new server as a proxy.
In other words, privoxy works fine as long as it is not running on the aiccu machine.
5) If I stop the ip6tables service on the new server, then it will work as a proxy for IPv6 sites.
Here is the script I use to set the ip6tables rules. I don't understand a lot of this. The IPv6 subnet in the first forwarding rule is obfuscated.
# First, delete all:
ip6tables -F
ip6tables -X
# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow anything out on the internet
ip6tables -A OUTPUT -o sixxs -j ACCEPT
# Allow the localnet access us:
ip6tables -A INPUT -i eth0 -j ACCEPT
ip6tables -A OUTPUT -o eth0 -j ACCEPT
# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
# Allow ICMPv6 everywhere
ip6tables -I INPUT -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT
# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -i eth0 -o sixxs -s 2001:df8:ffff::/48 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH in
# ip6tables -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT
# Bittorrent
# ip6tables -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 33600:33604 -j ACCEPT
# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
Here is what I get from "ip6tables -nv --list":
Chain INPUT (policy DROP 49 packets, 3920 bytes)
pkts bytes target prot opt in out source destination
83 7336 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT all lo * ::/0 ::/0
293 28539 ACCEPT all eth0 * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 ACCEPT all * * fe80::/10 ::/0
0 0 ACCEPT all * * ff00::/8 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT all lo sixxs ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0
102 8160 ACCEPT all eth0 sixxs 2001:df8:ffff::/48 ::/0 state NEW
2112 853K ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
83 7440 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT all * lo ::/0 ::/0
17 1360 ACCEPT all * sixxs ::/0 ::/0
168 41255 ACCEPT all * eth0 ::/0 ::/0
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 ACCEPT all * * fe80::/10 ::/0
0 0 ACCEPT all * * ff00::/8 ::/0
One thing that looks odd to me here is the "DROP" rules in the middle. Shouldn't they be at the end of the chain?
I suspect I need something that will forward stuff from the lo interface as well as from eth0. I tried duplicating the first forward rule using "-i lo", but it did not work.
Eventually this server will run other services that need access to the public Internet. Postfix and ntp come to mind, and there may be others.
Thanks - Bill Gee
Need help with ip6tables rules
![[ch]](/s/countries/ch.gif) Shadow Hawkins on Monday, 06 February 2012 10:53:05
Hi Bill,
I believe it is a bit risky trying to use a firewall which you don't really understand.
1) Please try to learn how ip6tables work.
2) What you are missing here: the FORWARD chain is only for packets that come in from on external interface and go out via an external interface (i.e. are "ROUTED"). The OUTPUT chain is for locally originated packets, the INPUT chain is for locally received packets.
3) privoxy generates packets that will be checked by the OUTPUT chain and receives packages checked by the INPUT chain.
4) while you allow everything locally generated (OUTPUT chain) out of the sixxs interface, you don't allow anyhing on your INPUT chain. You need to add a "allowed everything" rule (or an "ESTABLISHED,RELATED" rule) to your INPUT chain.
5) Adding "LOG" rules at the end of every chain allows you easy debugging of your iptables script by checking what packages are dropped in /var/log/kern.log
WARNING: I take no responsibility whatsoever for the protection you achieve by this firewall settings. It is your decision, your risk.
You can, if you want to, go through the iptables script (combined IPv4/IPv6)
which I I posted earlier here
Need help with ip6tables rules
Carmen Sandiego on Tuesday, 07 February 2012 02:22:21
Hi Nicolas -
You are right - it is risky to use something I don't really understand. In this case, though, I understand enough to know that NOT using ip6tables is worse than using it while I learn. In the IPv4 world I have a NAT router providing at least some basic level of protection. Without ip6tables, there would be no protection at all between me and the hostile world. Indeed, one of my big goals in signing up for SIXXS is to learn more about IPv6.
Your note did give me the clue I needed. I added this rule:
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and it works! WooHoo! Evidenced by the fact that I am writing this on a browser working through Privoxy on the new server.
One thing I am struggling with is which chains the traffic from each of the three interfaces goes through. It seems there is not a clear isolation between the three interfaces. At any time traffic from any of the interfaces might go through any of the chains, depending on which way it is going and where it came from.
Your example script has much in it that I will study. I see that Amazon has a book on ipchains that covers both 4 and 6. It's pricy, but $40 might be worth it.
Thanks!
Bill Gee
Need help with ip6tables rules
Shadow Hawkins on Tuesday, 07 February 2012 09:22:19
Hi Bill,
to your question "what chain does a package go through":
. The ipchains framework does NOT select the chain based on the interface. You can select by interface by explicitly adding -i or -o criteria to your rules.
. The ipchains framework itself only distinguishes between a) packages that should get routed (i.e. come in via an arbitrary interface and are to be sent out via an arbitrary interface) and b) packages that are created by a local process (and are to be sent out via an arbitrary interface) and c) packages that (come in via an arbitrary interface and) are to be received by a local process.
a) routed packages: FORWARD chain
b) locally created packages: OUTPUT chain
c) locally received packages: INPUT chain
Hope that helps.
Need help with ip6tables rules
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Monday, 05 March 2012 15:45:05
Hi, a nice ip6tables script for the end user is available at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=664399
Hint: it offers maximal protection for surfing, it is not meant for servers.
Need help with ip6tables rules
I can't see how this offers "maximum protection for surfing" or anything else for that matter given that the person who wrote that thing saw the need to filter out specific ICMP packets, folks who tend to do that tend to not know what they are for and that definitely looks like it for this case.
Note that if you want to protect yourself for "surfing" one should do a host based firewall as that one knows what connections should exist and which ones not.
|
on Monday, 05 March 2012 18:20:05
Posting is only allowed when you are