help me make my IPv6 firewall bulletproof

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
totaluser
DD-WRT User


Joined: 31 May 2010
Posts: 128

PostPosted: Fri Jun 10, 2011 20:59    Post subject: help me make my IPv6 firewall bulletproof Reply with quote
Hello everybody,
I recompiled kernel modules for my DD-WRT router and among a few other applications I recompiled iptables 1.4.10 as well

what I want to achieve
-> I want to be able to use IPv6 on LAN for general browsing and such usage (permit communication from LAN to WAN and return connections only)
-> I don't want to open any holes in my FW yet (I don't need port forwarding)
-> I don't want my LAN to be accessible from the Internet
-> I want to be able to ping IPv6 addresses from my LAN to the Internet
-> I want to be able to ping IPv6 addresses from my router to the Internet
-> I don't want anybody on the Internet to be able to ping my WAN IPv6 address or anything behind my router

generally since there is no NAT with IPv6 I want to create a NAT-like firewall solution -- unles the specific port is opened, nothing behind my router is accessible


after hours of googling and trial&error approach I put together this
(VLAN2 is my WAN facing interface
BR0 os my LAN facing interface)

Code:
/tmp/iptables/sbin/ip6tables -L
/tmp/iptables/sbin/ip6tables -F
/tmp/iptables/sbin/ip6tables -P INPUT DROP
/tmp/iptables/sbin/ip6tables -P OUTPUT DROP
/tmp/iptables/sbin/ip6tables -P FORWARD DROP

/tmp/iptables/sbin/ip6tables -I INPUT -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -I INPUT -i vlan2 -p tcp --syn -j DROP
/tmp/iptables/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/tmp/iptables/sbin/ip6tables -A INPUT -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
/tmp/iptables/sbin/ip6tables -A INPUT -i br0 -j ACCEPT

/tmp/iptables/sbin/ip6tables -A FORWARD -m state --state NEW -i br0 -o vlan2 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A FORWARD -i br0 -s 2000::/3 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A FORWARD -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
/tmp/iptables/sbin/ip6tables -I FORWARD -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -I FORWARD -i vlan2 -p tcp --syn -j DROP

/tmp/iptables/sbin/ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/tmp/iptables/sbin/ip6tables -A OUTPUT -o vlan2 -s 2000::/3 -j ACCEPT


it allows me to browse IPv6 internet (e.g. ipv6.google.com) and ping IPv6 sites

I am afraid that enabling ICMPv6 globally is like opening a door to my network
another question is that if I should be more specific and use my /64 LAN subnet instead of 2000::/3


Security guys, thank you very much in advance
Sponsor
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1545
Location: Zwolle

PostPosted: Sun Jan 22, 2012 20:08    Post subject: Reply with quote
Your script is great, but I'm afraid you're IPv6 pingable from outside. You can verify this with http://www6.ipv6.chappell-family.com/cgi-bin6/ipscan-js.cgi (IPv6 firewall tester).

I would suggest replacing the icmpv6 FORWARD line with:
Code:
ip6tables -I FORWARD -p icmpv6 -j DROP

But in this case you lose the ability to ping6 and traceroute6.

Of course, if all your devices attached to the router drop ping6 by default, then there is no need to worry too much about that.

If you want to disable ping6 to the router, change three lines to:
Code:
ip6tables -I INPUT -p icmpv6 -j DROP
ip6tables -I FORWARD -p icmpv6 -j DROP
ip6tables -I OUTPUT -p icmpv6 -j DROP

For me the later is not an option, since aiccu wants the router to remain pingable via IPv6.

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)


totaluser
DD-WRT User


Joined: 31 May 2010
Posts: 128

PostPosted: Sun Jan 22, 2012 20:25    Post subject: Reply with quote
I checked it on that site with my phone and my desktop and on both I am getting everything green.
STLTH , ECHO NO REPLY

also my hosts on LAN are not pingable from the Internet

though I am currently using this FW script


ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

ip6tables -I INPUT -i vlan2 -p tcp --syn -j DROP
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -i vlan2 -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i vlan2 -d MY_IPv6_HERE -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i br0 -j ACCEPT
ip6tables -I INPUT -i br1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix " [ INPUT ICMPv6 ] : "
ip6tables -A INPUT -j LOG --log-prefix " [ INPUT IPv6 ] : "

ip6tables -I FORWARD -m state --state NEW -i br0 -o vlan2 -j ACCEPT
ip6tables -I FORWARD -m state --state NEW -i br1 -o vlan2 -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i br1 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i vlan2 -p tcp --syn -j DROP
ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br0 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j LOG

ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o vlan2 -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j LOG --log-prefix " [ OUTPUT ICMPv6 ] : "
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1545
Location: Zwolle

PostPosted: Sun Jan 22, 2012 21:59    Post subject: Reply with quote
That's even better.

I added the following line in order to allow the router to send IPv6 ECHO:
Code:
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT


However, in respect to logging the icmpv6, I got the following error:

ip6tables: No chain/target/match by that name

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)


totaluser
DD-WRT User


Joined: 31 May 2010
Posts: 128

PostPosted: Sun Jan 22, 2012 22:14    Post subject: Reply with quote
it depends on which modules you are using with ip6tables

I compiled them myself and created custom image
-rwxrw-rw- 1 root root 13053 Jun 9 2011 ip6_queue.ko
-rwxrw-rw- 1 root root 17550 Jun 9 2011 ip6_tables.ko
-rwxrw-rw- 1 root root 12454 Jun 9 2011 ip6t_LOG.ko
-rwxrw-rw- 1 root root 3444 Jun 9 2011 ip6t_ah.ko
-rwxrw-rw- 1 root root 3180 Jun 9 2011 ip6t_eui64.ko
-rwxrw-rw- 1 root root 3178 Jun 9 2011 ip6t_mh.ko
-rwxrw-rw- 1 root root 5224 Jun 9 2011 ip6table_filter.ko
-rwxrw-rw- 1 root root 5451 Jun 9 2011 ip6table_mangle.ko
-rwxrw-rw- 1 root root 4008 Jun 9 2011 ip6table_raw.ko

if you don't have the module for LOGging, you cannot obviously log

ip6tables will with without it but without logging capability
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1545
Location: Zwolle

PostPosted: Sun Jan 22, 2012 23:50    Post subject: Reply with quote
Ok, now it works with the following script:
Code:
ip6tables -F
ip6tables -X
ip6tables -Z

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

ip6tables -I INPUT -i sixxs -p tcp --syn -j DROP
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_HERE -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i br0 -j ACCEPT
# ip6tables -I INPUT -i br1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix " [ INPUT ICMPv6 ] : "
ip6tables -A INPUT -j LOG --log-prefix " [ INPUT IPv6 ] : "

ip6tables -I FORWARD -m state --state NEW -i br0 -o sixxs -j ACCEPT
# ip6tables -I FORWARD -m state --state NEW -i br1 -o sixxs -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_NET_PREFIX::/64 -j ACCEPT
# ip6tables -I FORWARD -i br1 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i sixxs -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I FORWARD -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i sixxs -p tcp --syn -j DROP
# ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
# ip6tables -I FORWARD -i br1 -o br0 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j LOG

ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o sixxs -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_NET_PREFIX::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o sixxs -s MY_IPv6_NET_PREFIX::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o sixxs -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o sixxs -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br0 -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br1 -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j LOG --log-prefix " [ OUTPUT ICMPv6 ] : "

_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum