0

I've reviewed a variety of netfilter, iptables, and ip6tables resources. I've searched Google, including StackExchange websites for information, and, I can't find easy or clear links to information regarding differences between how iptables and ip6tables process packets.

Here are my standard iptables rules:

* filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

Similar rules are also in place for both incoming & outgoing HTTP, and DNS resolution, as well as basic ICMP (v4 0, 3, 8, 11, 12).

When I use ip6tables to put the same rules in place, my server response to both HTTP, SSH and ICMP connections with "host is down."

I can set the preliminary rules to:

-P INPUT ACCEPT
-P OUTPUT ACCEPT

And this opens the server back up again. But it doesn't filter packets (arbitrary rules for all packets, less FORWARD).

I've tried appending:

-A INPUT -i eth0 -j DROP

But, again, this starts causing issues.

Double and triple checked with telnet among other packet verification (server logs just simply drop connections if DROP is used, same for REJECT).

Alternatively, I've also seen rule-sets which are simple ACCEPT (all) with dport and sport ranges excepting the required rules.

In a nutshell, I'm used to the typical iptables (ipv4) rules which DROP everything, except the following rules.

Ideally, I'm looking for links or information which provide in-depth, detailed technical information about differences between how iptables and ip6tables process (and drop or accept) packets differently.

It would seem ip6tables will DROP everything arbitrarily if these are the basic proto rules, BUT, where not accepted in the first set of rules, the latter rule I've tried to DROP all interface INPUT continues to cause issues (given the initial set of rules is to ACCEPT, but have nowhere to go).

FWIW: This is Debian Jessie (v8) on a dist-upgrade from Debian Wheezy (v7) on a DigitalOcean droplet. Everything else runs kosher except for the ip6tables rules (server becomes unavailable to ipv6 resources).

Original posted on StackOverflow, deleted, copy/pasted here on ServerFault (suggested more relevant).

Dookie
  • 11
  • 1
  • 2
  • Afterthought, could this have anything to do with needing additional ICMP rules (such as router advertisement)? – Dookie Feb 14 '15 at 05:17
  • 2
    Your firewall has multiple problems, and looks quite similar to [what this guy did](http://serverfault.com/q/410321/126632). I suspect you will find the solution there. – Michael Hampton Feb 14 '15 at 06:02
  • @MichaelHampton -- So, in summary, ACCEPT to start, include "ESTABLISHED,RELATED", and finally drop anything which doesn't match an accepted rule? (Whereas, with iptables, v4, DROP anything which doesn't match a subsequent rule works.) – Dookie Feb 14 '15 at 07:06

2 Answers2

1

Your rules are dropping ICMP. This is wrong for both IPv4 and IPv6, and it will notably break PMTU discovery; however, most IPv4 stacks implement workarounds for this (very common) kind of misconfiguration. For IPv6, however, many things will be broken, notably access from Teredo hosts.

A simple solution is to add rules to allow ICMP:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT

A potentially more secure solution is to allow just the types of ICMP messages that are necessary for proper functionality, by following the recommendations of RFC 4890.

jch
  • 460
  • 2
  • 8
  • Already done. See the answer I provided (solution) based on @MichaelHampton's comment on the original question. (Yes, I've become familiar with the fact that ipv6 relies heavily on various types of ICMP.) Thanks, though. – Dookie Feb 16 '15 at 02:22
  • The solution you provided still breaks IPv4 PMTU discovery. You should be allowing at least some kinds of IPv4 ICMP. – jch Feb 16 '15 at 02:27
0

The answer is as Michael Hampton stated in the comments... Almost the exact same issue as:

Debian ip6tables rules setup for IPv6

My final ip6tables rules are as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
COMMIT

What this all says:

  • ACCEPT everything.
  • ACCEPT ESTABLISHED & RELATED connections (following the next 3 port rules).
  • ACCEPT connections on destination ports 22 (ssh), 80 (http), 443 (https)
  • ACCEPT any ipv6 ICMP type (different from v4)
  • REJECT any other inputs
  • REJECT any forwards

And I'm able to SSH in over ipv6, and wget -6 http...

In summary, forming ip6tables rules is just a little different than iptables rules. Next step: test to see if the same will work for iptables (v4) and keep things as similar as possible. (Thanks Michael.)

Community
  • 1
Dookie
  • 11
  • 1
  • 2