0

On CentOS 6, ip6tables is literally giving a nightmare on this machine.

Having 

ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT

with

ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT ! -p ipv6-icmp -j DROP
ip6tables -A OUTPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT ! -p ipv6-icmp -j DROP

or having the the top and bottom inverted, still doesnt help.

the IP6tables either block all ports, or allow all in/out. I have flushed the ip6tables to ensure no rules are there before putting these rules.

All that is required is to allow all traffic and to deny multiple ports for in/out for both tcp/udp

The ports above are example purpose only.

Thanks.

EDIT: reached a better stage, yet not working with inverses 

ip6tables -F
ip6tables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -I FORWARD -j DROP --protocol tcp -m multiport --dports 22,80,443
corny
  • 265
  • 1
  • 6
el5yeli
  • 1
  • 2
  • As per my statement above, The ports above are example purpose only. – el5yeli Aug 01 '15 at 12:12
  • Why are you doing it like this? Why not make the `multiport` rules ACCEPT? Also, in your EDIT, you suddenly do the inverse? (dropping 22,80,443) What is it you're trying to accomplish? – jornane Aug 01 '15 at 16:26

1 Answers1

1

You've done this:

# Drops all incoming TCP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
# Drops all incoming UDP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
# Drop everything that's not icmp6, including UDP and TCP traffic
# that was allowed to pass earlier, making them obsolete.
ip6tables -A INPUT ! -p ipv6-icmp -j DROP

(repeat for OUTPUT)

Normally, you ACCEPT everything you want to allow, and then you drop.

ip6tables -P INPUT DROP
ip6tables -A INPUT -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

I would not filter outgoing traffic, unless you have a good reason for this.

jornane
  • 1,096
  • 1
  • 8
  • 25
  • additionally, accept everything which belongs to an established connection and it should work as expected: ``-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`` – corny Aug 12 '16 at 15:23