![]() We will cover the loopback address, link-local addresses, and unique local addresses. These addresses or groups of addresses serve very specific function. There are several special addresses in IPv6. Now you need to extend the firewall policy for the allowed traffic, and you should begin with the communication necessary for managing the firewall itself (i.e., incoming traffic).Derrick Rountree, in Windows 2012 Server Network Security, 2013 IPv6 Special Addresses Thus far, the firewall has been set up to block everything. The corresponding rule for tunneled traffic on the IPv4 firewall is: # Block IPv6 in IPv4 Thus, you can intercept this traffic on the IPv4 firewall that is, using iptables, not ip6tables. ![]() However, the protocol field in the IPv4 header contains a value of 41 to indicate IPv6 tunnel traffic. ![]() You still have one important point to consider: IPv6 packets tunneled in IPv4 in part are not directly visible from the outside because they are prefixed with an IPv4 header. The following rules are the result: # Block tunnel prefixes In this case, you can block the known tunnel prefixes for 6to4 and Teredo: 2002::/:0::/32. Internal systems do not require a communication tunnel with native IPv6 connectivity. You can check the rules with ip6tables -v -L ( Figure 4).įigure 4: Allowing local traffic but blocking everything else. You will want to save your firewall script in the meantime, then execute it and check the results. Strictly speaking, you would typically want to filter the outgoing packets in the OUTPUT chain, but this is a secondary precaution, as long as the firewall itself has not been compromised. Unique Local Addresses could theoretically occur on the internal network you would thus restrict the filter for them to packets that arrive through the WAN interface. In this case, all packets with a sender address of ::1/128 that did not arrive via the loopback interface are blocked. The condition that follows must not be satisfied for the rule to apply. The loopback rule was negated with an exclamation mark. Ip6tables -A FORWARD -i $WAN_IF -s FC00::/7 -j DROP Ip6tables -A INPUT -i $WAN_IF -s FC00::/7 -j DROP Ip6tables -A INPUT ! -i lo -s ::1/128 -j DROP As a result, you can define the following anti-spoofing rules: # Anti-spoofing These include in particular the loopback address 1:: and the Unique Local Addresses FC00::/7. The two approaches are not mutually exclusive but complementary.Īt this point, you can define some address ranges that should be discarded if they arrive on the external interface as the sender address. Another possibility is the explicit rejection of incoming traffic from certain address ranges on the Internet interface. An approach that is supported by iptables and ip6tables is to restrict the rules to incoming and outgoing interfaces so an internal sender address cannot arrive on any interface other than the LAN interface. ![]() To prevent an attacker from using an internal address for access to specific systems, you need to introduce some anti-spoofing measures. Ip6tables -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPTįor all other forms of communication, sections with matching rules now follow. Ip6tables -A FORWARD -m state -state ESTABLISHED,RELATED -j ACCEPT Ip6tables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT But, because loopback should always be allowed, you add a loopback rule:įigure 3: Nailed down: In the current state, the firewall does not allow any traffic to localhost.Īnother important step is to enable stateful inspection by allowing everything that belongs to an existing communication: # Enable stateful inspection ![]() Accordingly, you would set the policy like this for all three chains: # Delete the RulesetĪt this point, no communication to, from, or through the system is possible, not even loopback traffic ( Figure 3). The following applies as a general rule for firewalls: Everything that is not expressly permitted is forbidden. You also need to define a policy that applies if no other rule applies. Next, completely reset the firewall rules to delete any previously existing rules. To make changes to an interface or a subnet prefix, you just need to adjust the variables. Also, networks or prefixes can be defined in this way. For flexibility, it has proved useful to create variables for the interfaces first and then reference them in the lines of the ruleset. This step can occur at system startup, for example, from the /etc/rc.local directory, or a separate init script can be called. Ip6tables is usually configured with a firewall script. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |