Q. IPv4 by default protect internal host using RFC 1918 private IP address. But IPv6 offers direct global address which result into exposing all internal hosts as well. How do I create default IPv6 firewall to drop all incoming (except ping6 request) connection and only allow outgoing requests from Linux workstation?
A. You need to use Ip6tables command to create IPv6 firewall scripts. Ip6tables is used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux kernel.
A note about IPv6 private ips
IPv6 does not include private network features such as NAT. Because of the very large number of IPv6 addresses. However, FC00::/7 prefix used to identify Local IPv6 unicast addresses. All IPv6 users should be able to obtain IPv6 address space for use at their discretion and without artificial barriers between their network and the Internet.
Sample Restricted IPv6 Linux Firewall Script
#!/bin/bash IPT6="/sbin/ip6tables" PUBIF="eth1" echo "Starting IPv6 firewall..." $IPT6 -F $IPT6 -X $IPT6 -t mangle -F $IPT6 -t mangle -X #unlimited access to loopback $IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A OUTPUT -o lo -j ACCEPT # DROP all incomming traffic $IPT6 -P INPUT DROP $IPT6 -P OUTPUT DROP $IPT6 -P FORWARD DROP # Allow full outgoing connection but no incomming stuff $IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # allow incoming ICMP ping pong stuff $IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT $IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT ############# add your custom rules below ############ ### open IPv6 port 80 #$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 80 -j ACCEPT ### open IPv6 port 22 #$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT ### open IPv6 port 25 #$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 25 -j ACCEPT ############ End custome rules ################ #### no need to edit below ### # log everything else $IPT6 -A INPUT -i $PUBIF -j LOG $IPT6 -A INPUT -i $PUBIF -j DROP
Further readings:
- man page ip6tables
- Private network in the Wikipedia.
{ 4 comments… read them below or add one }
thanks for sharing a shell script.
Hi, interesting script. Thanks for sharing it.
However, it’s missing one thing that would make it a lot more useful:
The PUBIF variable is set but never used, so the rules now apply to all interfaces, instead of just the public interface. If you could modify the script to use the PUBIF variable, it will still be useful for pc’s but also for IPv6 routers.
Hope you’ll consider this. Thanks.
@ Martijn,
I’ve just updated the script. Hope this helps!
Yes, that is definitely useful! Thanks for the quick response Vivek. Implementing it now.