Is your firewall IPv6 aware?

Posted by Steve on Thu 8 Jan 2009 at 23:14

If, like many people, you've started to experiment with enabling, configuring, and using, IPv6 it might not have crossed your mind to update your firewall. This could lead to surprises if you're unlucky. Read on for a simple overview.

The standard userspace firewall tool upon Debian GNU/Linux is iptables . This tool lets you add, list, and update your firewall rules and is documented both upon this site and in many online guides.

If you were to execute the following rules you'd disallow incoming connections to your server on port 22 except from a single trusted IP ( 1.2.3.4 ):

# allow me to connect from my static IP iptables -A INPUT -p tcp --dport 22 --src 1.2.3.4 -j ACCEPT # drop the rest of the world iptables -A INPUT -p tcp --dport 22 -j DROP

You might think that this is sufficient to stop connections hitting your machine, but if it is accessible over IPv6 you'll soon discover this isn't the case:

telnet -6 www.example.org 22 Trying 2002:5f10:fff::1... Connected to www.example.org Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9etch3

Here we see that we've been allowed access to port 22, even though we shouldn't have been. Why? Because iptables only cares about IPv4.

To configure rules for IPv6 you need to use the ip6tables tool as well:

ip6tables -A INPUT -p tcp --dport 22 -j DROP

Now you'll be safe, and incoming IPv6 connections to port 22 will be rejected. ip6tables works in exactly the same way as iptables does, so you don't need to learn anything new.

If you've already got a simple firewall script that you've put together yourself it might not be too much work to update it - if you're using an existing firewall package such as shorewall then you might not even need to do that, but you should certainly test it and find out!