ip6tables
Firewall software in linux
Supplementary instructions
ip6tables command Like iptables, it is a firewall software in Linux. The difference is that the TCP/ip protocol used by ip6tables is IPv6.
grammar
ip6tables (option)Options
-t<table>: Specify the table to be manipulated;
-A: Add entries to the rule chain;
-D: Delete entries from the rule chain;
-i: Insert an entry into the rule chain;
-R: Replace entries in the rule chain;
-L: Display existing entries in the rule chain;
-F: Clear existing entries in the rule chain;
-Z: Clear the packet counter and byte counter in the rule chain;
-N: Create a new user-defined rule chain;
-P: Defines the default target in the rule chain;
-h: Display help information;
-p: Specifies the packet protocol type to be matched;
-s: Specify the source IP address of the data packet to be matched;
-j<target>: Specify the target to jump to;
-i<network interface>: Specifies the network interface through which data packets enter the machine;
-o<network interface>: Specifies the network interface used by data packets to leave the machine.
-c<counter>: Initialize the packet counter and byte counter when performing insert operation (insert), append operation (append), and replace operation (replace).Example
Enter the following command in the command line window to view the current IPv6 firewall configuration:
ip6tables -nl --line-numbers/etc/sysconfig/ip6tables file
Use an editor to edit the /etc/sysconfig/ip6tables file:
vi /etc/sysconfig/ip6tablesYou may see the following default ip6tables rules:
*filter
:INPUT accept [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j reject --reject-with icmp6-adm-prohibited
COMMITSimilar to IPv4's iptables rules, but not exactly the same.
To open port 80 (HTTP server port), add the following rule before the COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT-p tcp means communication only for tcp protocol. --dport specifies the port number.
To open port 53 (DNS server port), add the following rule before the COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPTAlso open port 53 for tcp and udp protocols.
To open port 443, add the following rule before the COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPTTo open port 25 (SMTP mail server port), add the following rule before the COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPTFor those packets that do not match specific rules, we may not want them, and there is probably something wrong with them. We may also want to log them before DROPing them. At this point, you can change the last line:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMITChange to:
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMITSave and close the file. Then restart the ip6tables firewall:
# service ip6tables restartThen re-view the ip6tables rules and you can see the output shown below:
# ip6tables -vnL --line-numbersOutput example:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 42237 3243K RH-Firewall-1-INPUT all * * ::/0 ::/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 12557 packets, 2042K bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 6 656 ACCEPT all lo * ::/0 ::/0
2 37519 2730K ACCEPT icmpv6 * * ::/0 ::/0
3 0 0 ACCEPT esp * * ::/0 ::/0
4 0 0 ACCEPT ah * * ::/0 ::/0
5 413 48385 ACCEPT udp * * ::/0 ff02::fb/128 udp dpt:5353
6 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:631
7 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:631
8 173 79521 ACCEPT udp * * ::/0 ::/0 udp dpts:32768:61000
9 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:32768:61000 flags:!0x16/0x02
10 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
11 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
12 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53
13 4108 380K ACCEPT udp * * ::/0 ::/0 udp dpt:53
14 18 4196 REJECT all * * ::/0 IPv6 Private IP
IPv4 usually protects hosts on internal LAN private IPs by default. However, IPv6 addresses are so rich that private networks using protocols like NAT are no longer needed. In this way, all internal hosts can have public IPs and directly connect to the Internet, and are exposed to various threats on the Internet. So, how do you configure an IPv6 firewall to drop all incoming packets except ping6 requests by default? Local IPv6 unicast addresses can be identified using the FC00::/7 prefix.
Allow specific ICMPv6 traffic
When using IPv6, you need to allow more types of ICMP communications than IPv4 to ensure that functions such as routing and IP address autoconfiguration work properly. Sometimes, if your rule settings are too strict, the correct IPv6 address may not be assigned. Of course, instead of using DHCP Except for automatically configured IP addresses.
The following are some common ipv6-icmp configuration examples:
:ICMPv6 - [0:0]
# Approve certain ICMPv6 types and all outgoing ICMPv6
# http://forum.linode.com/viewtopic.php?p=39840#39840
-A INPUT -p icmpv6 -j ICMPv6
-A ICMPv6 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type redirect -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 141 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 142 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 148 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 149 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 151 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 152 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 153 -s fe80::/10 -j ACCEPT
-A ICMPv6 -j RETURN
-A OUTPUT -p icmpv6 -j ACCEPT
