{"id":130,"date":"2011-03-30T23:26:14","date_gmt":"2011-03-31T05:26:14","guid":{"rendered":"http:\/\/www.ipcalypse.ca\/?p=130"},"modified":"2011-03-31T10:01:33","modified_gmt":"2011-03-31T16:01:33","slug":"ipv6-firewalling-with-ip6tables","status":"publish","type":"post","link":"https:\/\/www.ipcalypse.ca\/?p=130","title":{"rendered":"IPv6 Firewalling with ip6tables"},"content":{"rendered":"<p>Now that you&#8217;ve gotten IPv6 configured on your home network, forget about relying on NAT to be your &#8220;firewall&#8221;.  All your devices now have a globally routed IP (v6) address, so it&#8217;s time to get familiar with a setting up a &#8220;real&#8221; firewall.<\/p>\n<p>Since my IPv6 router is a linux box that is also other things (server, wireless access point, etc) I can&#8217;t set up a nice dedicated firewall like <a href=\"http:\/\/www.pfsense.org\/\">pfsense<\/a> (currently IPv6 is enabled on the beta versions) without spending more money and quite a bit more work.  So I&#8217;ll work with what I have &#8211; <a href=\"http:\/\/man.he.net\/man8\/ip6tables\">ip6tables<\/a><\/p>\n<p>Here&#8217;s a simple set of ip6tables rules I&#8217;ve come up with. You&#8217;ll want to tweak these for your specific site.  Mine are called from \/etc\/rc.local<br \/>\n<code><br \/>\n# IPv6 firewall (ipv6tables)<br \/>\nWAN_IF=he-ipv6<br \/>\nLAN_IF=eth0<br \/>\nWLAN_IF=wlan0<br \/>\n#flush tables<br \/>\nip6tables -F<\/p>\n<p>#Define Policy<br \/>\nip6tables -P INPUT DROP<br \/>\nip6tables -P FORWARD DROP<br \/>\nip6tables -P OUTPUT ACCEPT<\/p>\n<p># Input to the router<br \/>\n# Allow all loopback traffic<br \/>\nip6tables -A INPUT -i lo -s 0\/0 -d 0\/0 -j ACCEPT<\/p>\n<p>#Allow unrestricted access on internal network<br \/>\nip6tables -A INPUT -i $LAN_IF -j ACCEPT<br \/>\nip6tables -A INPUT -i $WLAN_IF -j ACCEPT<\/p>\n<p>#Allow unrestricted outgoing connections<br \/>\nip6tables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT<\/p>\n<p># Forwarding through from the internal network<br \/>\n# For now allow unrestricted access out from the internal network<br \/>\nip6tables -A FORWARD -i $LAN_IF -j ACCEPT<br \/>\nip6tables -A FORWARD -i $WLAN_IF -j ACCEPT<\/p>\n<p>#Allow unrestricted outgoing connections<br \/>\nip6tables -A FORWARD -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT<\/p>\n<p># allow SSH in<br \/>\nip6tables -A FORWARD -s 2000::\/3 -i $WAN_IF -p tcp -m tcp --dport 22 -j ACCEPT<\/p>\n<p># allow remote desktop  in<br \/>\nip6tables -A FORWARD -s 2000::\/3 -i $WAN_IF -p tcp -m tcp --dport 3389 -j ACCEPT<\/p>\n<p># Drop everything else<br \/>\nip6tables -A FORWARD -i $WAN_IF -j DROP<\/p>\n<p>#allow everything to our router\/server.<br \/>\nip6tables -A INPUT -s 0\/0 -d 2001:470:81e5::1\/128 -j ACCEPT<\/p>\n<p># Drop everything else<br \/>\nip6tables -A INPUT -i $WAN_IF -j DROP<br \/>\n<\/code><\/p>\n<p>In a few places, I only allow packets from 2000::\/3.  Currently this encompasses all of the global IPv6 addresses, so I could have easily used 0\/0 (equivalent to ::\/0 or &#8220;anywhere&#8221;) but I&#8217;m okay with being a little more specific here.  In fact, for some of them (like ssh and remote desktop) I should be even more specific, but this is a start.<\/p>\n<p>Ensure you can test your rules before leaving them on.  I had some rules ordered incorrectly (I tried adding some rules after the &#8220;Drop everything else&#8221; rule for the chain) and broke www to ipcalypse.ca for a while. (oops!).  To verify www, dns and smtp on my server, I used <a href=http:\/\/go6.se\/check\/>http:\/\/go6.se\/check\/<\/a> to test these rules.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Now that you&#8217;ve gotten IPv6 configured on your home network, forget about relying on NAT to be your &#8220;firewall&#8221;. All your devices now have a globally routed IP (v6) address, so it&#8217;s time to get familiar with a setting up a &#8220;real&#8221; firewall. Since my IPv6 router is a linux box that is also other [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,40,7],"tags":[],"class_list":["post-130","post","type-post","status-publish","format-standard","hentry","category-ipcalypse","category-ipv6","category-ubuntu"],"_links":{"self":[{"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/posts\/130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=130"}],"version-history":[{"count":8,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/posts\/130\/revisions"}],"predecessor-version":[{"id":139,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=\/wp\/v2\/posts\/130\/revisions\/139"}],"wp:attachment":[{"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ipcalypse.ca\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}