Wednesday, November 9, 2011

IPv6 aware, Linux iptables cloud hand-firewall for Debian lenny, howto

Recently, I set up a Linux software firewall by hand for a virtual machine instance running Debian lenny.

Reasonable, now or in the future, is concern about IPv6 traffic. 'Is your firewall aware?' speaks of some danger: 'You might think that [using iptables to] disallow incoming connections to your server on port 22[,] except from a single trusted IP[,] is sufficient to stop connections hitting your machine, but if it is accessible over IPv6 you'll soon discover this isn't the case.'

Many VM providers have not so far (completely) enabled IPv6. However, for anyone who has written their own firewall script, it is a good idea to be prepared beforehand for the event.

The latest VM's, running on recent kernels, can use regular, IPv6-capable firewalls, though they are somewhat hard to find. For instance, the Debian package, 'shorewall6' implements an IPv6 firewall, which 'requires kernel 2.6.24 or later'. Per their FAQ, 'Linux kernels before 2.6.20 didn't support connection tracking for IPv6'.

My particular VM provider allows me only kernel 2.6.18. So, for my old kernel, I developed a fairly simple firewall script, with goals to:

* Restrict sole use of my VM to a list of authorized, remote IP's
* Block tunneling of IPv6 through IPv4, inbound and outbound
* Ease establishing the same rules for IPv6 as for IPv4
* Learn more about iptables firewalls, and
* Learn something about IPv6

This modular firewall script allows full and easy control over IP addresses, protocols and ports. It was derived, with additions, from James Turnbull's 'Bastion Host Iptables Script' (see References).

In order to simplify, it leaves out denial of service (DOS) protection, because that seems unlikely in casual VM use. And, it assumes your VM's IP address is IPv4.

It is impossible accidentally to be locked out, because VM providers naturally offer direct console access, independent of services running on the VM.

The script is available free of charge from my GitHub account.

Bastion Host Iptables Script: Appendix A (or chapter 2) of James Turnbull's book, _Hardening Linux_. For download, see


6in4 - Wikipedia
6to4 - Wikipedia
Adding proper IPv6 to my home network - Martin F. Krafft
After installation - Securing Debian manual - Debian
Anything in anything - Wikipedia
Basic iptables - howtos - 5dollarwhitebox
Basic iptables - Debian/RedHat (see comments) - HowToForge
Collection of basic Linux firewall iptables rules - LinuxConfig
Debian firewall - Debian
Druidic firewall - I)ruid
Easy firewall generator for iptables - Scott Morizot
Entries in /proc/sys/net/ipv6/ - Linux IPv6 howto - TLDP
Firewalling with netfilter/iptables - Shane Tzen
Firewalls - Debian
Firewalls resources - Center for Education and Research in Information Assurance and Security (CERIAS)
Firewalls tag - DebianAdministration
Getting IPv6 connectivity under Linux - Juliusz Chroboczek
Guidelines for firewall vendors regarding MIPv6 traffic - Internet Engineering Task Force
Internet firewalls: frequently asked questions- Paul D. Robertson, et al
The Internet is a dirty, dirty mistress - Dustin D. Trammell
Invisible IPv6 traffic poses serious network threat - Carolyn Duffy Marsan - Network World
Ip6tables: IPv6 firewall for Linux - Vivek Gite
Iptables - Wikipedia
Iptables(8) - Linux man page - Linux
Iptables firewall - Thomas Pircher - TTY1
Iptables firewall script & configuration files for Linux 2.4.x-2.6.x - Bob Sully
Iptables/firewall setup for clusters - Richard Benson - Dixcart
Iptables howto - Community documentation - Ubuntu
Iptables rules - TheGeekStuff
Iptables tag - DebianAdministration
Iptables tutorial - Oskar Andreasson - Frozentux
IPv6 - Wikipedia
IPv6 & Linux howto - Peter Bieringer
IPv6: Configuration for Debian - lenehan
IPv6 firewalling -
IPv6 firewalls - GetIPv6
IPv6-ready kernel - Linux IPv6 howto - TLDP
IPv6 security considerations and recommendations - Microsoft
IPv6 with Debian - Martin F. Krafft
Is your firewall IPv6 aware? - Debian administration - Steve Kemp
ISATAP - Wikipedia
Learn how to use IPp6tables - TLDP
Links2World howto - Links2World Firewall
Linux 2.4 packet filtering howto - Rusty Russell
Linux iptables avoid IP spoofing & bad addresses attacks - LinuxTitli
Linux iptables block common attacks howto - LinuxTitli
Linux iptables: how to specify a range of IP addresses or ports - Vivek Gite
Linux: IPv6 - Peter Bieringer
Linux IPv6 howto - TLDP
List of IP protocol numbers - Wikipedia
Local area network - Wikipedia
Miredo(8) - Linux man page - Linux
Restoring iptables automatically on boot - Jawnsy - DebianAdministration
Running IPv6 in practice - Gribozavr - DebianAdministration
Securing network access - Securing Debian manual - Debian
Set up Ubuntu server in the cloud howto - dambrosio
The settings statement - Links2world Firewall
Shorewall firewall installation, configuration & understanding - Stephen P. Edwards
System run levels and init.d scripts - Debian
Teredo may render your firewall useless - René Pfeiffer
The Teredo protocol: tunneling past network security & other security implications (PDF) - James Hoagland - Symantec
Teredo tunneling - Wikipedia
Top 5 best Linux firewalls - Ramesh Natarajan - TheGeekStuff
Using iptables to secure your virtual machine - Cloud hosting applications - eApps
Why you want IPv6 - LinuxReviews

Copyright (c) 2011 Mark D. Blackwell.Copyright (c) 2011 Mark D. Blackwell.

No comments:

Post a Comment

Thanks for commenting on my post!