Configuring IPv6 (Firewall rules ?)


#1

I have had IPv6 working on my BigV machine, but yesterday I discovered that it wasn’t working anymore. The IPv6 address is configured (it’s defined as static so that’s not too surprising), but there are only routes to the /56, /64 and fe80::/64, but no default route.

My /etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback interface
auto lo
iface lo inet loopback
iface lo inet6 loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 213.138.111.85
    netmask 255.255.255.0
    broadcast 213.138.111.255
    gateway 213.138.111.1
iface eth0 inet6 static
    address 2001:41c8:51:655::85
    netmask 64
    gateway fe80::1
    pre-up /sbin/modprobe ipv6 2>/dev/null || true
    pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf
    pre-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra

(I added the last line yesterday when I found it on https://www.bytemark.co.uk/docs/network/ipv6/).

Most guides say that you should just allow anything ICMPv6 traffic, but I believe that shouldn’t be neccessary with a static configuration, so I have made the following rules:

IP6TABLES="/sbin/ip6tables"
        $IP6TABLES -P INPUT DROP
        $IP6TABLES -P OUTPUT DROP
        $IP6TABLES -P FORWARD DROP
        $IP6TABLES -F INPUT
        $IP6TABLES -F OUTPUT
        $IP6TABLES -F FORWARD
        $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IP6TABLES -A INPUT -m state --state INVALID -j DROP
        $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
# IPv6 depends heavily on ICMPv6
        $IP6TABLES -A INPUT  -s fe80::0/64 -p icmpv6 -j ACCEPT
# - and apparently the replies aren't related?
#        $IP6TABLES -A OUTPUT -d fe80::0/64 -p icmpv6 -j ACCEPT
# - that might not be enough?
        $IP6TABLES -A OUTPUT -p icmpv6 -j ACCEPT

Shouldn’t that still (as I said it has worked) be enough? What (else) might be wrong?

.Henrik


#2

I’m not going to answer your question(!), but I use http://www.fwbuilder.org/ to create the rules. It’s a nice tool that lets you setup your firewall in many different ways. It can be as simple or complex as you like. Nice and visual.

It handles both my V4 and V6 rulesets.

I use it on my BigV setup. If you want to try it and would like my setup to play with, just let me know.


#3

In Symbiosis we use the following types of ICMP packets through from anywhere:

  • destination-unreachable
  • packet-too-big
  • parameter-problem
  • router-solicitation
  • router-advertisement
  • neighbor-solicitation
  • neighbor-advertisement

You could always add a “-j LOG” target before the default drop to see what it is catching.