Avatar of R7AF
R7AF
Flag for Netherlands asked on

IPv6 and UFW

I have several domains, one server, and domain host and server provider both support IPv6. So I looked up the IPv6 address of my server, and added those AAAA records to the DNS of the domains.

I heard that IPv6 requires specific rules in iptables. I use UFW as frontend to iptables. I looked in /etc/ufw/ufw.conf, added the line "IPV6=yes" and reloaded UFW.

Now I'm wondering, do I need to do anything else? Is this correct? Do I need special rules added for IPv6?
Linux SecurityLinux NetworkingDNSNetworkingNetwork Architecture

Avatar of undefined
Last Comment
David Beveridge

8/22/2022 - Mon
David Beveridge

There is a new command for IPv6 firewalling.

For IPv6, you use ip6tables.
Build up a similar script for ip6 as you do for ip4.

Here is an example of an INPUT chain., You might also want OUTPUT, FORWARD, chains or whatever for your environment.  Be aware that there is no NAT or Masquerading in IPv6.
So if this machine is a gateway then you have to have good FORWARD chain rules.

eg
echo Inp Rules
LAN=fe80::/64
ip6tables -F INPUT
ip6tables -P INPUT ACCEPT
ip6tables -A INPUT -s ::ffff:127.0.0.1 -j DROP
ip6tables -A INPUT -s ::ffff:10.0.0.0/104 -j DROP
ip6tables -A INPUT -s ::ffff:192.168.0.0/112 -j DROP
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p TCP --dport www -j ACCEPT
ip6tables -A INPUT -p TCP --dport domain -j ACCEPT
ip6tables -A INPUT -p TCP --dport smtp -j ACCEPT
ip6tables -A INPUT -p TCP --dport smtps -j ACCEPT
ip6tables -A INPUT -p TCP --dport submission -j ACCEPT
ip6tables -A INPUT -p TCP --dport https -j ACCEPT
ip6tables -A INPUT -p TCP --dport domain -j ACCEPT
ip6tables -A INPUT -p TCP --dport pop3 -j ACCEPT
ip6tables -A INPUT -p TCP --dport pop3s -j ACCEPT
ip6tables -A INPUT -p TCP --dport imap -j ACCEPT
ip6tables -A INPUT -p TCP --dport imaps -j ACCEPT
ip6tables -A INPUT -p TCP -s $LAN -j ACCEPT
ip6tables -A INPUT -s ::1 -j ACCEPT
ip6tables -A INPUT -d ::1 -j ACCEPT
ip6tables -A INPUT -p TCP -j LOG --log-prefix firewall\ rejected\ packet\
ip6tables -A INPUT -p TCP -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p UDP -j ACCEPT
ip6tables -A INPUT -p ICMPv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -P INPUT DROP

Open in new window

ASKER CERTIFIED SOLUTION
David Beveridge

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
David Beveridge

Keep in mind though that IPv6 differs from IPv4 in that there is no NAT.

You internal hosts will have public IP addresses in IPv6.
R7AF

ASKER
This is only one server, at the moment, and I don't see that changing soon. If I look at the output of "ip6tables -L -v", I don't see anything back from the rules I've set in UFW, so I think those rules are handled in iptables and picked up by ip6tables?

ip6tables gives the following output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7224  627K ACCEPT     all      lo     any     anywhere             anywhere            
 4327 2351K ufw6-before-logging-input  all      any    any     anywhere             anywhere            
 4327 2351K ufw6-before-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-logging-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-reject-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-track-input  all      any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-before-logging-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-before-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-logging-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-reject-forward  all      any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 4 packets, 272 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7224  627K ACCEPT     all      any    lo      anywhere             anywhere            
  404 33896 ufw6-before-logging-output  all      any    any     anywhere             anywhere            
  404 33896 ufw6-before-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-after-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-after-logging-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-reject-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-track-output  all      any    any     anywhere             anywhere            

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:netbios-ns 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:netbios-dgm 
    0     0 ufw6-skip-to-policy-input  tcp      any    any     anywhere             anywhere            tcp dpt:netbios-ssn 
    0     0 ufw6-skip-to-policy-input  tcp      any    any     anywhere             anywhere            tcp dpt:microsoft-ds 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:bootps 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:bootpc 

Chain ufw6-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-user-forward  all      any    any     anywhere             anywhere            

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      lo     any     anywhere             anywhere            
    2   144 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp neighbour-solicitation HL match HL == 255 
    1    64 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp neighbour-advertisement HL match HL == 255 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp router-solicitation HL match HL == 255 
 2936  305K ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp router-advertisement HL match HL == 255 
 1388 2046K ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ufw6-logging-deny  all      any    any     anywhere             anywhere            state INVALID 
    0     0 DROP       all      any    any     anywhere             anywhere            state INVALID 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp destination-unreachable 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp packet-too-big 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp time-exceeded 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp parameter-problem 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-request 
    0     0 ACCEPT     udp      any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc 
    0     0 ACCEPT     ipv6-icmp    any    any     ip6-mcastprefix/8    anywhere            
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             ip6-mcastprefix/8   
    0     0 ACCEPT     ipv6-icmp    any    any     ip6-mcastprefix/8    anywhere            
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             ip6-mcastprefix/8   
    0     0 ufw6-user-input  all      any    any     anywhere             anywhere            

Chain ufw6-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      any    lo      anywhere             anywhere            
  395 33224 ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    9   672 ufw6-user-output  all      any    any     anywhere             anywhere            

Chain ufw6-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' 

Chain ufw6-logging-deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      any    any     anywhere             anywhere            state INVALID limit: avg 3/min burst 10 
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      any    any     anywhere             anywhere            

Chain ufw6-skip-to-policy-input (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      any    any     anywhere             anywhere            

Chain ufw6-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      any    any     anywhere             anywhere            

Chain ufw6-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   400 ACCEPT     tcp      any    any     anywhere             anywhere            state NEW 
    0     0 ACCEPT     udp      any    any     anywhere             anywhere            state NEW 

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Open in new window

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
David Beveridge

Without knowing what rules you put into ufw it's hard to say.
Looks like it's set to accept NetBIOS over TCP. (samba)

For what it's doing it is way complicated.
R7AF

ASKER
These are the rules set in UFW:

To                         Action      From
--                         ------      ----
Anywhere                   DENY        12.34.56.78
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
8180                       ALLOW       Anywhere
5432                       ALLOW       23.45.67.89

Open in new window

David Beveridge

That does not look like a match.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.