ip6tables: IPv6 Firewall For Linux

Q. IPv4 by default protect internal host using RFC 1918 private IP address. But IPv6 offers direct global address which result into exposing all internal hosts as well. How do I create default IPv6 firewall to drop all incoming (except ping6 request) connection and only allow outgoing requests from Linux workstation?

A. You need to use Ip6tables command to create IPv6 firewall scripts. Ip6tables is used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux kernel.

A note about IPv6 private ips

IPv6 does not include private network features such as NAT. Because of the very large number of IPv6 addresses. However, FC00::/7 prefix used to identify Local IPv6 unicast addresses. All IPv6 users should be able to obtain IPv6 address space for use at their discretion and without artificial barriers between their network and the Internet.

Redhat / CentOS / Fedora Linux Specific Configuration

The /etc/sysconfig/ip6tables can be used to configure and open ports, the default config is as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

To open port tcp and udp port 53 add the following line before final --reject-with icmp6-adm-prohibited line:

# open port 22
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT

At the end it should look as follows to which will open IPv6 port numbers, 53, 22, 25, 80, 110, and 443:

 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
 
# open port 53
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -j ACCEPT
 
# open port 22
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
 
# open mail server ports smtp, pop3, and imap
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 143 -j ACCEPT
 
# open port 80 & 443
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
 

Save and close the file. Now, you can restart firewall as follows:
# service ip6tables restart
# ip6tables -L -v -n

Sample Restricted IPv6 Linux Firewall Script

#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="eth1"
echo "Starting IPv6 firewall..."
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
 
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
 
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
 
############# add your custom rules below ############
### open IPv6  port 80
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 80 -j ACCEPT
### open IPv6  port 22
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT
### open IPv6  port 25
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 25 -j ACCEPT
############ End custom rules ################
 
#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP

Further readings:

• man page ip6tables
• Private network in the Wikipedia.

Featured Articles:

• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• My 10 UNIX Command Line Mistakes
• Linux: 20 Iptables Examples For New SysAdmins
• 25 PHP Security Best Practices For Sys Admins
• The Novice Guide To Buying A Linux Laptop
• 10 Greatest Open Source Software Of 2009
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• Top 20 OpenSSH Server Best Security Practices
• Top 10 Open Source Web-Based Project Management Software
• Top 5 Linux Video Editor Software