≡ Menu

ip6tables: IPv6 Firewall For Linux

  • Martijn January 5, 2009, 5:14 pm

    Hi, interesting script. Thanks for sharing it.

    However, it’s missing one thing that would make it a lot more useful:
    The PUBIF variable is set but never used, so the rules now apply to all interfaces, instead of just the public interface. If you could modify the script to use the PUBIF variable, it will still be useful for pc’s but also for IPv6 routers.

    Hope you’ll consider this. Thanks.

  • nixCraft January 5, 2009, 6:40 pm

    @ Martijn,

    I’ve just updated the script. Hope this helps!

  • Martijn January 6, 2009, 11:35 pm

    Yes, that is definitely useful! Thanks for the quick response Vivek. Implementing it now.

  • Alex May 19, 2009, 3:54 pm

    Hi :)
    I’m just wondering if the last Input DROP is necessary as the default policy already is DROP ?

    cheers!

  • j July 3, 2009, 6:51 am

    alex – you are right

    but if you set default policy to ACCEPT then you can use this:

    # log everything else
    $IPT6 -A INPUT -j LOG
    $IPT6 -A INPUT -j DROP

    PS: taken from http://tnt.aufbix.org/linux/firewall6

  • bibi July 24, 2009, 8:11 am

    this script is NOT secure, read on icmpv6 security problems….

  • Anders November 18, 2009, 6:56 pm

    Alex: Last drop is not necessary, but it should be put there to be secure, it’s easy to make mistakes, and this will hopefully catch some…

    Becouse the script doesn’t warn about this: IPv6 ICMP is much more than just PING. If one filter that one, IPv6 will not work propperly.

    Bibi: Any links with more information? I am interested in all stuff about IPv6.

  • Anders November 18, 2009, 7:01 pm

    Yes, I forgot.

    NAT has nothing to do with security. Firewall is the tool for that. There is ways of pass a NAT without a propper firewall setting.

    There is LOTS of people that don’t understand this, and some will argue about that. Please don’t do that, just read relevant RFC:s. And use a propper firewall setting on all your machines.

  • Albert February 1, 2011, 3:02 pm

    Hello

    Private networks I guess still have their use. It is difficult to convince certain organizations (health, banks, etc) to use ipv6 in their internal networks, as if they somehow need to “use the internet” for anything, their whole internal network is just a part of the whole “ipv6” internet. They still want their “private” addressing while using IP protocols. They don’t want external “anlytics” being performed on what each of their potential ipv6 addresses look on the internet.

    What’s the option for doing something like that, that does not imply application level proxies?

  • Zloy February 1, 2011, 7:48 pm

    ># Allow full outgoing connection but no incomming stuff
    >$IPT6 -A INPUT -i $PUBIF -m state –state ESTABLISHED,RELATED -j ACCEPT
    >$IPT6 -A OUTPUT -o $PUBIF -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

    These lines do not work in RHEL/CentOS 5.x because its kernel does not support stateful IPv6 firewalling. See https://bugzilla.redhat.com/show_bug.cgi?id=243739
    But I use similar configuration in another distros with newer kernel.

  • Anders February 2, 2011, 5:17 pm

    There are ways of randomize/annonymize your IPv6 host address.
    With that you can’t analyze trafick outside your corporate firewall to see what is inside just by checking IPv6 addresses.

    NAT is just not a good solution to any problem I have seen. The problem is the mind set on people that has been forced to use NAT the last 15 years.

    NAT is a hack, to get around the problem with IPv4 addresses running out. It don’t give you any security that you can’t get with IPv6 and firewalls, which you MUST have anyway, even if you use NAT.

  • Fábio June 25, 2011, 5:31 pm

    Using this firewall I’m not able to use autoconfiguration. Am I right? ‘Cause it uses ICMPv6 messages that you are blocking here, allowing only “ping” messages.

  • Jon July 18, 2012, 8:26 pm

    Despite popular believe NAT does have uses outside of getting around IPv4’s limited address space. For instance, transparent Squid proxies on the network gateway require the nat table to intercept and redirect HTTP traffic. Personally I also use the nat table for intercepting DNS requests on my network to use my caching and ad-blocking DNS server as it is very hard or impossible to change DNS settings on many devices like Android phones and streaming media players. Neither of these cases will work without NAT and thus can’t be used with IPv6 unless it is implemented.

  • Anders July 19, 2012, 12:13 pm

    Do it the right way then!

    Block all outgoing port 80 in the firewall and set proxie on all machines in your network. That is the propper way AND it will use your proxie when surfing on other ports. Any other use of the port that doesn’t use proxie will be stoped, like worms calling home through port 80.

    Your use of NAT is just an uggly hack, like all the use of NAT in the first place, on a problem that is already solved properly.

    Have to still to see one use case of NAT that isn’t just a hack to “solve” a problem with IPv4 that hasn’t been solved before or is a direct reason of IPv4 has runned out of free addresses. Which it has in any practical sense has done 10-15 years ago.

    NAT is not the answer , it’s a question. The answer ia IPv6.

  • Security: Are you a robot or human?

    Leave a Comment

    You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">