As mentioned by others, the fact that the router is IPv4 could change (with a software upgrade, new router, etc.). So a complete firewall needs both, IPv4 and IPv6.
One thing that you cannot do is DROP
everything going through IPv6. This is because more and more services make use of IPv6 locally.
One way to block IPv6 is to use the following rules:
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j DROP
COMMIT
That way lo
traffic still goes through and anything else gets blocked.
If you need to know what gets blocked, you can LOG
just before you DROP
packets. For example, add those just before the corresponding DROP
:
-A INPUT -j LOG --log-prefix "[iptables] reject_ipv6: " --log-uid
-A OUTPUT -j LOG --log-prefix "[iptables] reject_ipv6: " --log-uid
Note: As written, these rules can be applied using ip6tables-restore
.
Logging can generate a lot of data in your syslog (where it goes by default on Linux). If you want to redirect the logs, look at man rsyslog.conf
. On my end I use the following two lines:
:msg,contains,"[iptables]" /var/log/iptables/iptables.log
& stop
This assumes the log messages start with "[iptables]". The & stop
rule means you drop the messages after they were saved in your iptables.log
file.
Make sure setup a logrotate entry to rotate the resulting log file, otherwise it will fill up your drive quickly.