proper firewalling rules
Carmen Sandiego on Thursday, 03 July 2008 19:02:18
I've been running a static tunnel to my local firewall for awhile now, and just recently got a SixXS subnet added to it for my LAN hosts. My traditional IPv4 network has run NAT behind the firewall with some standard iptables rules thrown in. All seems to be working well, but my concern is that my unfamiliarity with both tunneling and IPv6 could inadvertently leave my hosts open to the IPv6 network. I don't want to rely on host-based firewalling alone to prevent issues; I'm much more comfortable using my existing border firewall as the main access control point to the internet.
I'm currently running the following ip6tables rules on my firewall/tunnel endpoint/subnet router. eth0 is the LAN interface.
*filter
# Drop incoming data by default
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Accept any traffic from the LAN
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
# Accept ping from WAN to router
-A INPUT -p ipv6-icmp -i sixxs -j ACCEPT
# Accept established connections from WAN
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
This all looks logically sound to me, and as far as I can tell, my LAN and firewall should be protected against any uninitiated incoming traffic. Can someone else verify this configuration? Am I missing anything?
proper firewalling rules
Jeroen Massar on Thursday, 03 July 2008 19:12:29
Looks fine to me if the above is really what you want.
You could even tighten the ping a little bit (though don't block ICMP Packet Too Big and other such messages) by allowing only the PoP endpoint to ping you.
Also one important thing to check is that packets are always sourced from your subnet and nothing else.
And of course, route that subnet /48 to loopback so that packets coming from the Internet don't bounce back up to it. "-A FORWARD -i sixxs -o sixxs -j DROP" does that too I think, but routing it to loopback nicely results in a destination unreachable.
proper firewalling rules
Shadow Hawkins on Saturday, 05 July 2008 13:08:09 You could even tighten the ping a little bit
"Tighten"? Why would you? ICMP is not a bad protocol or a dangerous one.
Also one important thing to check is that packets are always sourced from your subnet and nothing else.
How?
proper firewalling rules
Jeroen Massar on Monday, 14 July 2008 12:43:59
Note 'could', which is not 'must'. Some people want to block everything ;)
Also one important thing to check is that packets are always sourced from your subnet and nothing else. How?
ip6tables -A FORWARD -s 2001:db8::/32 -i ethX -o ethY -j ACCEPT
ip6tables -A FORWARD -d 2001:db8::/32 -i ethY -o ethX -j ACCEPT
ip6tables -A FORWARD -j DROP
where ethX is your upstream (tunnel generally) and ethY is your local box.
And next to that, for incoming packets:
ip -6 ro add 2001:db8::/32 dev lo
That way, if a /64 in that block is not used, it will go to 'lo' and thus generate a ICMP Destination Network Unreachable. Which is much better than having the packet being routed back up the interface (which would be blocked with the above ip6tables rules though ;)
proper firewalling rules
Shadow Hawkins on Saturday, 05 July 2008 13:07:04
See the section on firewalling in my blog post on IPv6 on Debian, which also applies to non-Debian systems.
Posting is only allowed when you are logged in. |