3

i just changed to a server with ipv6 and therefore i changed my firewall script. Changing my iptables-script to ip6tables does not seem to work though. This is the ipv6 part which neither allows outgoing traffic nor incoming traffic on ipv6 (but should allow all outgoing, and only allow ssh, https); ipv4 works like a charm :

#IPv6
# Setting default policies:
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Exceptions to default policy
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p tcp —dport 22 -j ACCEPT       # SSH
ip6tables -A INPUT -p tcp —dport 443 -j ACCEPT      # HTTPS
ip6tables -A INPUT -m state —state ESTABLISHED,RELATED -j ACCEPT

Thanks!

Solution:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT

According another answer here and http://www.ietf.org/rfc/rfc4890.txt

bigCrash
  • 33
  • 5

1 Answers1

0

You have no rule to allow outgoing, although your rules for ports 22 and 443 appear to be bi-direction. You should be filtering ICMP on the external interface, and allowing DNS traffic on port 53 (both UDP and TCP).

I would recommend you use a n IPv6 capable firewall builder. There are ports that you likely want to block outgoing traffic on even if you want an open policy on outgoing traffic. A good firewall builder will have some default rules that get you started with a reasonable firewall.

BillThor
  • 27,354
  • 3
  • 35
  • 69