27

Say I have a firewall setup on my linux server with iptables so that I only accept port 22 and port 80 traffic and I block access to all other ports.

Do these rules only work if the client machine is using a IPv4 address? So if an ipv6 address is used, the client can access ports I don't want them to? (ie ports other than port 22 and port 80)

Braiam
  • 67,791
  • 32
  • 179
  • 269
user230779
  • 311
  • 2
  • 4
  • 5
  • You have not marked any of the answers as usefull. You should do that. ;-) – Anders Sep 22 '14 at 14:27
  • You should probably not use iptable as that is way to low level for most users. Use a front end, like ufw to set up firewall rules. A simple rule of thumb is that if you need to ask, you should probably not use iptable directly. – Anders Jan 26 '22 at 18:28

3 Answers3

24

iptables works for IPv4, but not IPv6. ip6tables is the equivalent IPv6 firewall, and is installed with iptables.

Ultimately, though, iptables is for IPv4 connections, ip6tables is for IPv6 connections. If you want your iptables rules to also apply to IPv6, you have to add them to ip6tables as well.

If you try and replicate your iptables ruleset in ip6tables, not all the rules that iptables can do will port over neatly to ip6tables, but most of them will.

Refer to the manpage for ip6tables if you want to make sure the commands that you use in your iptables will neatly port over.

If you'd like, we can help you create equivalent ip6tables rulesets to match your iptables rules, if you provide your firewall rules list (removing any information that could identify the system of coruse). Otherwise, we can only answer your general question.

Thomas Ward
  • 74,764
  • 17
    Isn't this kind of ridiculous then? To clarify, so right now all my ports on the server are wide open to anyone who connects with an IPv6 address? – user230779 Jan 01 '14 at 21:22
  • 4
    @user230779 I agree it is "ridiculous" but this is why ufw and other firewall managers exist, they add the rules themselves to both, accordingly. The issue at hand here, though, isn't "Can anyone with IPv6 see my site?" the bigger issue is whether your system has IPv6 addresses. Most connections have IPv4 and IPv6 from client computers like mine. But if the remote server has no IPv6 that is public facing, then the IPv4 is connected. As I understand it, though, if you have IPv6 you should add the rules to ip6tables as well. – Thomas Ward Jan 01 '14 at 21:33
  • 1
    @user230779 I could create a script that'd execute the same command for iptables AND ip6tables, and the general rules like -p tcp --dport will still work, but more complex rules might not... (like -j REJECT --reject-with [something]) – Thomas Ward Jan 01 '14 at 21:36
  • Thomas can you link me to a safe ip6tables example for an apache webserver? – user230779 Jan 01 '14 at 23:51
  • @user230779 I don't have a link to one, I can create an example set for you though if you really want... the question is what rules do you already have in iptables that you want included on ip6tables so they match? – Thomas Ward Jan 02 '14 at 00:14
  • @user230779 you can reuse the same ipv4 rules, just changing the ip's obviously and iptables for ip6tables ;) – Braiam Jan 04 '14 at 19:43
  • @Braiam for the dport rules, yes, but without their actual ruleset in hand for us to view, some of the rules might not be interchangeable with ip6tables. – Thomas Ward Jan 04 '14 at 22:57
  • Well, I didn't found anything in the manual that said that some flags didn't work with any or the other (except -4 and -6 for obvious reasons) – Braiam Jan 04 '14 at 23:27
  • 1
    @Braiam never said anything about the flags. Some of the commands won't work (-j REJECT --reject-with icmp-host-prohibited for example, because the reject packet is a different name in IPv6) – Thomas Ward Jan 05 '14 at 03:24
  • Ohhh, now we are talking... – Braiam Jan 05 '14 at 03:26
  • I would really sugest that people that code iptables with the low level commands upgrade to a frontend, like ufw, as they are made to work with both IPv4 and IPv6. Notice that if you add an address to a rule, that address make the rule only apply to that address family. And no, there are features in IPv6 that doesn't exist in IPv4. – Anders Jan 26 '22 at 18:43
4

As others already have told you, there are different firewall tables for IPv4 and IPv6. You could set up rules for IPv6 like for IPv4, but there are a great risk you'll mess it up if you don't know IPv6. Like, you can't drop ICMP for IPv6, as there are essential handshake parts there. Like telling the sender that the frames are to large, etc. Without those things, IPv6 could stop working for some users.

So it would strongly recommend the use of ufw or the package shorewall6 together with shorewall.

The iptables frontend ufw supports both IPv4 and IPv6 and works great on servers with one or two interfaces and now also do support simple routing (work as a router or gateway). It also support applications and comments, so please use them to make it simpler to go back and look at what you have done.

But if you route traffic, you probably need something better, like shorewall before manually add some rules for forwarding with iptables and ip6tables.

Don't forget that you can have more than one IPv6 addresses on your interfaces. Some are only link local, some are globally static and dynamic. So you should set up rules accordingly and the servers only listening on the right addresses.

And again, using iptable directly is like coding in assembler. It is fun, but if you don't know all relevant RFC:s, you should not do that, use some front end.

Anders
  • 1,585
  • 1
    "Like, you can't drop ICMP for IPv6" Blanket dropping of icmp is not a good idea anyway, whoever does this probably shouldn't be configuring IP networks – Luc Mar 04 '21 at 10:19
  • Yes, but still there are lots of tutorials that suggest that on IPv4. And the network will still work for IPv4, but not on IPv6.

    And yes, people that filter out all ICMP and that shut down IPv6 on clients should not be configuring IP networks, agree on that one.

     – Anders Apr 14 '21 at 12:48
1

In 2021 you can create a file with rules that is used for both IPv4 and IPv6, and use the prefix -4 and -6 for rules that work differently with both protocols:

## Custom rules
## Based on https://gist.github.com/jirutka/3742890
*filter
#
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#
# Don't attempt to firewall internal traffic on the loopback device.
-A INPUT -i lo -j ACCEPT
-A INPUT -s localhost -j ACCEPT
#
# Continue connections that are already established or related to an established
# connection.
-4 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-6 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# and so on ...

Optionally, you can store that as a file, such as /etc/iptables/rules.combined and create symbol links for the rules.v4 and rules.v6:

cd /etc/iptables
sudo ln -s rules.combined rules.v4
sudo ln -s rules.combined rules.v6
BurninLeo
  • 186
  • 2
  • 10
  • 1
    Still, if you are going to use serious fire wall, one should probably go for a frontend, like ufw or similar, as iptable are really low level hacking, which make it very easy to ruin stuff. – Anders Jan 26 '22 at 18:38