Configuring ip6tables when using a IPv6 tunnel broker
As a proponent of IPv6 and with my local ISP being completely inept in the IPv6 transition, I decided to set up a 6in4 tunnel in order to provide IPv6 connectivity to my LAN. You can find many guides to configuring the tunnel and setting it to forward the connection using radvd, so I won’t go over that here. But most don’t mention how to configure the firewall. I was using Ubuntu’s default firewall package, ufw, but couldn’t get it to work. Eventually I came to the conclusion that I needed to use ip6tables directly in order to do it. Eventually, I settled on this setup:
ip6tables -P INPUT DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s local:ipv6:prefix::/64 -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -I FORWARD -i he-ipv6 -p tcp --syn -j DROP
ip6tables -I FORWARD -i he-ipv6 -p udp -j DROPFor clarification:
- eth0 is my lan ethernet port (this is an internal server behind a router already and there is only one port)
- he-ipv6 is the tunnel interface (in some examples they’ll call it something different so be careful of that)
- local:ipv6:prefix:: is the local or routed prefix. The one that you don’t use in the he-ipv6 interface. For example, if you are given 2001:DB8:1:422::/64 and 2001:DB8:2:422::/64 and you use 2001:DB8:1:422::2 with the he-ipv6 interface, then the local ipv6 prefix is 2001:DB8:2:422::/64
The first statement defaults it to dropping all incoming connections. The second line allows icmv6 (aka pings). The 3rd line allows all traffic from my LAN clients. The 4th line allows established connections through (this is vital for the forwarding to work). The 5th line opens port 80 on the local system (as an example if you’re running a web server). The 6th line just allows access from the lo interface (found I needed this for some web server things)
The next two lines were the hardest ones to find. These are what need to be set up to prevent outside access to your LAN systems. If you just run the first 6 lines, your tunnel system will be protected just fine, but an outside system will be able to access all ports on your internal LAN! Why nobody seems bothered about this is beyond me. So make sure you add those last two lines to your ip6tables configuration.