IPv6 Firewalling with ip6tables

Now that you’ve gotten IPv6 configured on your home network, forget about relying on NAT to be your “firewall”. All your devices now have a globally routed IP (v6) address, so it’s time to get familiar with a setting up a “real” firewall.

Since my IPv6 router is a linux box that is also other things (server, wireless access point, etc) I can’t set up a nice dedicated firewall like pfsense (currently IPv6 is enabled on the beta versions) without spending more money and quite a bit more work. So I’ll work with what I have – ip6tables

Here’s a simple set of ip6tables rules I’ve come up with. You’ll want to tweak these for your specific site. Mine are called from /etc/rc.local

# IPv6 firewall (ipv6tables)
WAN_IF=he-ipv6
LAN_IF=eth0
WLAN_IF=wlan0
#flush tables
ip6tables -F

#Define Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Allow unrestricted access on internal network
ip6tables -A INPUT -i $LAN_IF -j ACCEPT
ip6tables -A INPUT -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forwarding through from the internal network
# For now allow unrestricted access out from the internal network
ip6tables -A FORWARD -i $LAN_IF -j ACCEPT
ip6tables -A FORWARD -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A FORWARD -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow SSH in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 22 -j ACCEPT

# allow remote desktop in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 3389 -j ACCEPT

# Drop everything else
ip6tables -A FORWARD -i $WAN_IF -j DROP

#allow everything to our router/server.
ip6tables -A INPUT -s 0/0 -d 2001:470:81e5::1/128 -j ACCEPT

# Drop everything else
ip6tables -A INPUT -i $WAN_IF -j DROP

In a few places, I only allow packets from 2000::/3. Currently this encompasses all of the global IPv6 addresses, so I could have easily used 0/0 (equivalent to ::/0 or “anywhere”) but I’m okay with being a little more specific here. In fact, for some of them (like ssh and remote desktop) I should be even more specific, but this is a start.

Ensure you can test your rules before leaving them on. I had some rules ordered incorrectly (I tried adding some rules after the “Drop everything else” rule for the chain) and broke www to ipcalypse.ca for a while. (oops!). To verify www, dns and smtp on my server, I used http://go6.se/check/ to test these rules.

2 Responses to “IPv6 Firewalling with ip6tables”

  1. vallidor says:

    well detailed rules.

    i see it’s posted with an Ubuntu tag. it’s also possible to set up your firewall with ip6tables and spit ’em all into a finished ruleset with ip6tables-save, and apply that with ip6tables-restore. you lose the benefit of commenting on each rule (as in a bash script) but gain the ability to haphazardly create or delete rules “from the hip”. worth mentioning.

    also, why specify 0/0, ::/0, or 2000::/3 in the first place? just omit the -s parameter! just sayin man.

    good article

    • ipv6_twit says:

      I thought of that, but I also wanted to leave an example of how to specify sources for the day when I want to put that in. 🙂

Leave a Reply