0

I am familiar with hardening IPv4 on Ubuntu server, but when I use the same rules for IPv6 with ip6tables, the IPv6 connectivity is lost resulting in Destination unreachable: Address unreachable errors during ping. Could you please advise on how to fix this issue? My logic is the following:

#IPv6
#Reset all rules (F) and chains (X)
ip6tables -F
ip6tables -X

#Force SYN packets check
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Drop XMAS packets
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop null packets
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Drop incoming packets with fragments
#ip6tables -A INPUT -f -j DROP #this does not really work like in iptables

#Drop traffic 
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP
#Keep established
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept loopback
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

#ICMP
ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

#ServiceX
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceY
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceZ
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
...

Example for ssh server, though I never use the default port 22...

#SSH
ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

The script is made executable, so it runs across reboots in /etc/init.d/scriptname. The idea is to block everything and allow only what is actually known to be used by the server services. Any better approach, please? Why this works in IPv4, but not in IPv6? When I issue ip6tables -t filter -P INPUT ACCEPT it works, but that's not the point. How do I really secure IPv6 on Ubuntu servers? Thanks!

lion
  • 13
  • 4
  • Ipv6 works different than ipv4 in many aspects. Maybe you should learn ipv6 first. – Gerald Schneider Jan 22 '22 at 06:37
  • Mm-hmm... And where do I start? xD Like how is ip6tables that much different from iptables? Many say to use identical configuration from iptables, but it does not seem to work for me. – lion Jan 22 '22 at 06:39
  • https://serverfault.com/questions/783807/ipv6-allow-incoming-icmp-echo-requests#comment990370_783807 – user951308 Jan 22 '22 at 06:41
  • 1
    Thanks, @user951308 for pointing out, but I already allow ICMP. Updating question... Maybe something else needs to be specifically enabled instead of the entire INPUT direction? – lion Jan 22 '22 at 06:42
  • OK. Appears it should be ipv6-icmp instead of icmp. Thanks! – lion Jan 22 '22 at 07:17

2 Answers2

0

Based on IPv6 functionality, you need add some ACCEPT rules for ICMPv6, try these:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Router and neighbor discovery incoming and outgoing
ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Ping request to firewall from LAN and DMZ
ip6tables -A INPUT ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Ping request from firewall, LAN and DMZ
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT

I found this article very useful for myself: IPv6-Tables

Omid Estaji
  • 193
  • 1
  • 2
  • 11
  • ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT and ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT solved it for me. Thanks! See my last comment on the question itself. – lion Jan 25 '22 at 07:25
  • @lion great that you were able to solve it, but please accept the answer that helped you. – Gerald Schneider Jan 25 '22 at 07:31
  • It was in a comment above with a link. Appears it should be ipv6-icmp instead of icmp. – lion Jan 25 '22 at 11:29
0
ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT

instead of

ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

solves it.

lion
  • 13
  • 4