Linux firewall for ipv6 traffic

iptables, The most common and widely used Linux firewall for IPv4 traffic. Like iptables, Linux has another firewall utility called ip6tables which is used for IPv6 traffic. These two tables need to configure separately for IPv4 and IPv6 packet. In this tutorial we will see how to configure ip6tables in Ubuntu 16.04 system. A basic iptables and ipv6 knowledge is required for this tutorial.

IPv6 in the system

before configuring ip6tables make sure your system is ipv6 supported. To check it, type the following command. The ipv6 address and interface name may differ from your address.

cat /proc/net/if_inet6 

00000000000000000000000000000001 01 80 10 80       lo
fe800000000000000a0027fffeec4f60 02 40 20 80     enp0s8

If you see the output like this, then your server support ipv6. By default ipv6 is enabled in today’s most of the devices.

Firewall status

In a newly installed Ubuntu server the firewall chains are empty by default. To see the chains type the below command:

imtiaz@lab:~$ sudo ip6tables -L -n
[sudo] password for imtiaz:

You will see an output  like below. Notice that  all the chains (INPUT, FORWARD, OUTPUT) are empty and the default policy for the chains are set to ACCEPT.

Chain INPUT (policy ACCEPT)
target prot opt source             destination

Chain FORWARD (policy ACCEPT)
target prot opt source             destination

Chain OUTPUT (policy ACCEPT)
target prot opt source             destination

Chains

To see only the chains and the default policy set for that chain, type the below command.

imtiaz@lab:~$ sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
imtiaz@lab:~$

As you can see the default policy is set to ACCEPT for all the chains.

First ipv6 rule

Let’s make our first rule. Type the below command to add the below rule to our INPUT chain.

sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

For this rule, we are not going to disconnect from the server. To see the rule type sudo ip6tables -L -n and notice the difference.

Append Rules

Let’s add some more ipv6 rules in our firewall.

sudo ip6tables -A INPUT -p tcp --dport ssh -s HOST_IPV6_IP -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT

The first rule will allow ssh from a specific ipv6 address. 2nd, 3rd and 4th rule will allow http(80), ftp(21) and smtp(25) traffic.  Now lets see the ipv6 firewall rules again.

Check ipv6 rules

To see the ipv6 rules with line number, type the below command:

sudo ip6tables -L -n --line-numbers

This will give you the rules with rule number. Rule numbers can be useful to insert or delete a rule.

Delete rules

In some case you need to delete one or more than one rule from your iptables chains. There are two ways you can delete the rules from the chain. By rule specification and by rule number.

Type the below command to delete rules by rule specify. Let’s delete the ftp (21) rule.

sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT

Just like append (A) command, replace the A with D for rule deletion.

The same rule can be deleted by rule line number. (if you haven’t deleted the ftp rule)

sudo ip6tables -L --line-numbers

You will see the rules with rule numbers. To delete the rules from a chain type the below command.

sudo iptables -D INPUT RULES_LINE_NUMBER

Be careful while deleting rules by rule number. Cause After deleting one rule the order of the chain number changed.

Insert Rule

Like iptables rules, ip6tables rules are also working sequentially, and if a match found, then the rest of the rules will be skipped. If you want to rearrange your rules or want to add a new rule in a specific position, then first list the rules with –line-numbers option then type the below command.

sudo ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT

This will place the rule in the 2nd position of the INPUT chain.

Change policy

If you need to change the default policy of a chain, then type the below command. Let’s change our INPUT chain policy from ACCEPT to DROP.

sudo ip6tables -P INPUT DROP

New chain

You can create your own chain in ip6tables. Type the below command to create a new chain name NEW_TAB or any other name you like just don’t use space.

sudo ip6tables -N NEW_TAB

if you type sudo ip6tables -L -n, then you will see the newly created chain with others chain.  To delete the chain simply type the below command.

sudo ip6tables -X NEW_TAB

Save your work

ip6tables rules are working instantly, but when you restart your server then all rules will be gone. That’s why you need to save the rules so that they become active after a reboot. There are several ways to do this, but the easiest way is to use the iptables-persistent package. Type the below command to install the iptables-persistent package.

sudo apt-get install iptables-persistent

Press “yes” for both ipv4 and ipv6 rules when prompted. After installation, you will find two files in /etc/iptables location name ipv4 and ipv6. You can open the file and you can make your change here. You can do start|restart|reload|force-reload|save|flush from here. For example, if you want to save the current loaded iptables rules type the below command.

sudo /etc/init.d/iptables-persistent save

This will save both ipv4 and ipv6 rules.

Thanks for reading the post. If you enjoyed the post, please share it with your network and let me know your thoughts in the comments. 

About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *