iptables, The most common and widely used Linux firewall for IPv4 traffic. Like iptables, Linux has another firewall utility called ip6tables which is used for IPv6 traffic. These two tables need to configure separately for IPv4 and IPv6 packet. In this tutorial we will see how to configure ip6tables in Ubuntu 16.04 system. A basic iptables and ipv6 knowledge is required for this tutorial.
IPv6 in the system
before configuring ip6tables make sure your system is ipv6 supported. To check it, type the following command. The ipv6 address and interface name may differ from your address.
cat /proc/net/if_inet6 00000000000000000000000000000001 01 80 10 80 lo fe800000000000000a0027fffeec4f60 02 40 20 80 enp0s8
If you see the output like this, then your server support ipv6. By default ipv6 is enabled in today’s most of the devices.
In a newly installed Ubuntu server the firewall chains are empty by default. To see the chains type the below command:
imtiaz@lab:~$ sudo ip6tables -L -n [sudo] password for imtiaz:
You will see an output like below. Notice that all the chains (INPUT, FORWARD, OUTPUT) are empty and the default policy for the chains are set to ACCEPT.
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
To see only the chains and the default policy set for that chain, type the below command.
imtiaz@lab:~$ sudo ip6tables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT imtiaz@lab:~$
As you can see the default policy is set to ACCEPT for all the chains.
First ipv6 rule
Let’s make our first rule. Type the below command to add the below rule to our INPUT chain.
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
For this rule, we are not going to disconnect from the server. To see the rule type sudo ip6tables -L -n and notice the difference.
Let’s add some more ipv6 rules in our firewall.
sudo ip6tables -A INPUT -p tcp --dport ssh -s HOST_IPV6_IP -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
The first rule will allow ssh from a specific ipv6 address. 2nd, 3rd and 4th rule will allow http(80), ftp(21) and smtp(25) traffic. Now lets see the ipv6 firewall rules again.
Check ipv6 rules
To see the ipv6 rules with line number, type the below command:
sudo ip6tables -L -n --line-numbers
This will give you the rules with rule number. Rule numbers can be useful to insert or delete a rule.
In some case you need to delete one or more than one rule from your iptables chains. There are two ways you can delete the rules from the chain. By rule specification and by rule number.
Type the below command to delete rules by rule specify. Let’s delete the ftp (21) rule.
sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT
Just like append (A) command, replace the A with D for rule deletion.
The same rule can be deleted by rule line number. (if you haven’t deleted the ftp rule)
sudo ip6tables -L --line-numbers
You will see the rules with rule numbers. To delete the rules from a chain type the below command.
sudo iptables -D INPUT RULES_LINE_NUMBER
Be careful while deleting rules by rule number. Cause After deleting one rule the order of the chain number changed.
Like iptables rules, ip6tables rules are also working sequentially, and if a match found, then the rest of the rules will be skipped. If you want to rearrange your rules or want to add a new rule in a specific position, then first list the rules with –line-numbers option then type the below command.
sudo ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT
This will place the rule in the 2nd position of the INPUT chain.
If you need to change the default policy of a chain, then type the below command. Let’s change our INPUT chain policy from ACCEPT to DROP.
sudo ip6tables -P INPUT DROP
You can create your own chain in ip6tables. Type the below command to create a new chain name NEW_TAB or any other name you like just don’t use space.
sudo ip6tables -N NEW_TAB
if you type sudo ip6tables -L -n, then you will see the newly created chain with others chain. To delete the chain simply type the below command.
sudo ip6tables -X NEW_TAB
Save your work
ip6tables rules are working instantly, but when you restart your server then all rules will be gone. That’s why you need to save the rules so that they become active after a reboot. There are several ways to do this, but the easiest way is to use the iptables-persistent package. Type the below command to install the iptables-persistent package.
sudo apt-get install iptables-persistent
Press “yes” for both ipv4 and ipv6 rules when prompted. After installation, you will find two files in /etc/iptables location name ipv4 and ipv6. You can open the file and you can make your change here. You can do start|restart|reload|force-reload|save|flush from here. For example, if you want to save the current loaded iptables rules type the below command.
sudo /etc/init.d/iptables-persistent save
This will save both ipv4 and ipv6 rules.
Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.