Welcome to part four of my multipart series on IPv6. In this post I’ll cover how to use ip6tables to configure a host firewall on linux. The host used runs Ubuntu 11.04, but this should be largely applicable to any linux host.
Just like with the FreeBSD example, the IPv6 rule set is just a duplicate of the IPv4 rule set. Also like the FreeBSD example, a bit more has to be taken with ICMPv6 and with link-local addresses.
To configure ip6tables for your host, run the following commands:
# ip6tables –P INPUT ACCEPT
# ip6tables –P FORWARD ACCEPT
# ip6tables –P OUTPUT ACCEPT
# ip6tables -A INPUT -i lo -j ACCEPT
# ip6tables -A INPUT -s ff00::/8 -j ACCEPT
# ip6tables -A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
# ip6tables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
# ip6tables -A INPUT -p icmpv6 -j ACCEPT
# ip6tables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
# ip6tables -A INPUT -j REJECT –reject-with icmp6-adm-prohibited
# ip6tables -A OUTPUT -m conntrack –ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
The above rule set blocks all new inbound connections except to port 22 (SSH). You’ll want to add ports for any other services you might run. In addition, this rule set will allow ICMPv6 traffic, all link-local traffic, and all outbound connections.
To make those changes survive a reboot, we’ll need to commit them to disk. First, create and edit the file /etc/network/if-pre-up.d/ip6tables:
# cat /etc/network/if-pre-up.d/ip6tables
/sbin/ip6tables-restore > /etc/ip6tables.up.rules
Now run the following command:
# ip6tables-save < /etc/ip6tables.up.rules [/cc] Note that for the above example I mostly just duplicated my IPv4 rule set. You’ll need to add any ports suitable for the services you run on the host.