Archive for March, 2011

IPv6 Firewalling with ip6tables

Wednesday, March 30th, 2011

Now that you’ve gotten IPv6 configured on your home network, forget about relying on NAT to be your “firewall”. All your devices now have a globally routed IP (v6) address, so it’s time to get familiar with a setting up a “real” firewall.

Since my IPv6 router is a linux box that is also other things (server, wireless access point, etc) I can’t set up a nice dedicated firewall like pfsense (currently IPv6 is enabled on the beta versions) without spending more money and quite a bit more work. So I’ll work with what I have – ip6tables

Here’s a simple set of ip6tables rules I’ve come up with. You’ll want to tweak these for your specific site. Mine are called from /etc/rc.local

# IPv6 firewall (ipv6tables)
WAN_IF=he-ipv6
LAN_IF=eth0
WLAN_IF=wlan0
#flush tables
ip6tables -F

#Define Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Allow unrestricted access on internal network
ip6tables -A INPUT -i $LAN_IF -j ACCEPT
ip6tables -A INPUT -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forwarding through from the internal network
# For now allow unrestricted access out from the internal network
ip6tables -A FORWARD -i $LAN_IF -j ACCEPT
ip6tables -A FORWARD -i $WLAN_IF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A FORWARD -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow SSH in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 22 -j ACCEPT

# allow remote desktop in
ip6tables -A FORWARD -s 2000::/3 -i $WAN_IF -p tcp -m tcp --dport 3389 -j ACCEPT

# Drop everything else
ip6tables -A FORWARD -i $WAN_IF -j DROP

#allow everything to our router/server.
ip6tables -A INPUT -s 0/0 -d 2001:470:81e5::1/128 -j ACCEPT

# Drop everything else
ip6tables -A INPUT -i $WAN_IF -j DROP

In a few places, I only allow packets from 2000::/3. Currently this encompasses all of the global IPv6 addresses, so I could have easily used 0/0 (equivalent to ::/0 or “anywhere”) but I’m okay with being a little more specific here. In fact, for some of them (like ssh and remote desktop) I should be even more specific, but this is a start.

Ensure you can test your rules before leaving them on. I had some rules ordered incorrectly (I tried adding some rules after the “Drop everything else” rule for the chain) and broke www to ipcalypse.ca for a while. (oops!). To verify www, dns and smtp on my server, I used http://go6.se/check/ to test these rules.

Enable IPv6 Privacy Extensions on Ubuntu

Saturday, March 19th, 2011

With SLAAC, your MAC address is embedded into your IPv6 address. When you connect to the world, you’re giving them something that can be traced back to you (or at least a piece of hardware you have). RFC3041 was created to help address this privacy issue. It’s since been obsoleted by RFC4941. The Linux kernel does support these RFCs, but most distributions do not turn it on by default. While the below was tested on Ubuntu, it should theoretically work for most flavors of Linux.

First, determine which interface(s) you want to enable the privacy extensions:


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6547155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3594147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9470877266 (9.4 GB)  TX bytes:313893925 (313.8 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:859192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:859192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:418471854 (418.4 MB)  TX bytes:418471854 (418.4 MB)

In my case it’s eth2 (and no, I don’t know what happened to eth0 and eth1 ;).

Add the following lines to /etc/sysctl.conf:

net.ipv6.conf.eth2.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

*Note that the first line could (and most likely would) be different for your particular set up.

after that, restart your network (or if you like, restart your computer altogether) and you should see a new address


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          inet6 addr: 2001:db8::9dd7:675f:8d2b:d78a/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6565518 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3607197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9493464492 (9.4 GB)  TX bytes:315035089 (315.0 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:861796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:861796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:419488499 (419.4 MB)  TX bytes:419488499 (419.4 MB)

Outgoing connections will now use the new “random” ipv6 address. You can verify by going to http://test-ipv6.com