IPv6 and UFW

R7AF
R7AF used Ask the Experts™
on
I have several domains, one server, and domain host and server provider both support IPv6. So I looked up the IPv6 address of my server, and added those AAAA records to the DNS of the domains.

I heard that IPv6 requires specific rules in iptables. I use UFW as frontend to iptables. I looked in /etc/ufw/ufw.conf, added the line "IPV6=yes" and reloaded UFW.

Now I'm wondering, do I need to do anything else? Is this correct? Do I need special rules added for IPv6?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David BeveridgeLinux Systems Admin

Commented:
There is a new command for IPv6 firewalling.

For IPv6, you use ip6tables.
Build up a similar script for ip6 as you do for ip4.

Here is an example of an INPUT chain., You might also want OUTPUT, FORWARD, chains or whatever for your environment.  Be aware that there is no NAT or Masquerading in IPv6.
So if this machine is a gateway then you have to have good FORWARD chain rules.

eg
echo Inp Rules
LAN=fe80::/64
ip6tables -F INPUT
ip6tables -P INPUT ACCEPT
ip6tables -A INPUT -s ::ffff:127.0.0.1 -j DROP
ip6tables -A INPUT -s ::ffff:10.0.0.0/104 -j DROP
ip6tables -A INPUT -s ::ffff:192.168.0.0/112 -j DROP
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p TCP --dport www -j ACCEPT
ip6tables -A INPUT -p TCP --dport domain -j ACCEPT
ip6tables -A INPUT -p TCP --dport smtp -j ACCEPT
ip6tables -A INPUT -p TCP --dport smtps -j ACCEPT
ip6tables -A INPUT -p TCP --dport submission -j ACCEPT
ip6tables -A INPUT -p TCP --dport https -j ACCEPT
ip6tables -A INPUT -p TCP --dport domain -j ACCEPT
ip6tables -A INPUT -p TCP --dport pop3 -j ACCEPT
ip6tables -A INPUT -p TCP --dport pop3s -j ACCEPT
ip6tables -A INPUT -p TCP --dport imap -j ACCEPT
ip6tables -A INPUT -p TCP --dport imaps -j ACCEPT
ip6tables -A INPUT -p TCP -s $LAN -j ACCEPT
ip6tables -A INPUT -s ::1 -j ACCEPT
ip6tables -A INPUT -d ::1 -j ACCEPT
ip6tables -A INPUT -p TCP -j LOG --log-prefix firewall\ rejected\ packet\
ip6tables -A INPUT -p TCP -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p UDP -j ACCEPT
ip6tables -A INPUT -p ICMPv6 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -P INPUT DROP

Open in new window

Linux Systems Admin
Commented:
stricly speaking. UFW should be creating rules for both IPv4 and IPv6.

Once in place you can try these commands to see what rules it has created.

iptables -L -v
ip6tables -L -v
David BeveridgeLinux Systems Admin

Commented:
Keep in mind though that IPv6 differs from IPv4 in that there is no NAT.

You internal hosts will have public IP addresses in IPv6.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2007

Author

Commented:
This is only one server, at the moment, and I don't see that changing soon. If I look at the output of "ip6tables -L -v", I don't see anything back from the rules I've set in UFW, so I think those rules are handled in iptables and picked up by ip6tables?

ip6tables gives the following output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7224  627K ACCEPT     all      lo     any     anywhere             anywhere            
 4327 2351K ufw6-before-logging-input  all      any    any     anywhere             anywhere            
 4327 2351K ufw6-before-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-logging-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-reject-input  all      any    any     anywhere             anywhere            
    0     0 ufw6-track-input  all      any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-before-logging-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-before-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-after-logging-forward  all      any    any     anywhere             anywhere            
    0     0 ufw6-reject-forward  all      any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 4 packets, 272 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7224  627K ACCEPT     all      any    lo      anywhere             anywhere            
  404 33896 ufw6-before-logging-output  all      any    any     anywhere             anywhere            
  404 33896 ufw6-before-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-after-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-after-logging-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-reject-output  all      any    any     anywhere             anywhere            
    9   672 ufw6-track-output  all      any    any     anywhere             anywhere            

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:netbios-ns 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:netbios-dgm 
    0     0 ufw6-skip-to-policy-input  tcp      any    any     anywhere             anywhere            tcp dpt:netbios-ssn 
    0     0 ufw6-skip-to-policy-input  tcp      any    any     anywhere             anywhere            tcp dpt:microsoft-ds 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:bootps 
    0     0 ufw6-skip-to-policy-input  udp      any    any     anywhere             anywhere            udp dpt:bootpc 

Chain ufw6-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-user-forward  all      any    any     anywhere             anywhere            

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      lo     any     anywhere             anywhere            
    2   144 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp neighbour-solicitation HL match HL == 255 
    1    64 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp neighbour-advertisement HL match HL == 255 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp router-solicitation HL match HL == 255 
 2936  305K ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp router-advertisement HL match HL == 255 
 1388 2046K ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ufw6-logging-deny  all      any    any     anywhere             anywhere            state INVALID 
    0     0 DROP       all      any    any     anywhere             anywhere            state INVALID 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp destination-unreachable 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp packet-too-big 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp time-exceeded 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp parameter-problem 
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-request 
    0     0 ACCEPT     udp      any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc 
    0     0 ACCEPT     ipv6-icmp    any    any     ip6-mcastprefix/8    anywhere            
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             ip6-mcastprefix/8   
    0     0 ACCEPT     ipv6-icmp    any    any     ip6-mcastprefix/8    anywhere            
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             ip6-mcastprefix/8   
    0     0 ufw6-user-input  all      any    any     anywhere             anywhere            

Chain ufw6-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      any    lo      anywhere             anywhere            
  395 33224 ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    9   672 ufw6-user-output  all      any    any     anywhere             anywhere            

Chain ufw6-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' 

Chain ufw6-logging-deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      any    any     anywhere             anywhere            state INVALID limit: avg 3/min burst 10 
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' 

Chain ufw6-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      any    any     anywhere             anywhere            

Chain ufw6-skip-to-policy-input (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      any    any     anywhere             anywhere            

Chain ufw6-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      any    any     anywhere             anywhere            

Chain ufw6-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   400 ACCEPT     tcp      any    any     anywhere             anywhere            state NEW 
    0     0 ACCEPT     udp      any    any     anywhere             anywhere            state NEW 

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Open in new window

David BeveridgeLinux Systems Admin

Commented:
Without knowing what rules you put into ufw it's hard to say.
Looks like it's set to accept NetBIOS over TCP. (samba)

For what it's doing it is way complicated.
Top Expert 2007

Author

Commented:
These are the rules set in UFW:

To                         Action      From
--                         ------      ----
Anywhere                   DENY        12.34.56.78
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
8180                       ALLOW       Anywhere
5432                       ALLOW       23.45.67.89

Open in new window

David BeveridgeLinux Systems Admin

Commented:
That does not look like a match.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial