OpenWrt Forum Archive

Topic: IPv6 firewall configuration best practices

The content of this topic has been archived on 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
thefRont
13 May 2011, 09:57

Hey there,

I have been running an IPv6 tunnel from SixXS for quite some time now mainly for experimenting with the new protocol. While I was setting everthing up, I searched the OpenWrt Forums and numerous other forums for some nice IPv6 firewall configurations I could build on my own settings.

So I'd like to use this thread to give and seek for best practices on IPv6 firewall configurations and to discuss eventual flaws in posted configurations, to make them solid.

The following code block contains my current configuration. It's still a simple shell script but it shouldn't be too hard to port it into a nice UCI configuration file.

#!/bin/ash


#
# Some important definitions used by this script.
# Only edit these in case something has changed and if you know
# what you are doing.
#
# IPT6:   path to the ip6tables binary
# IF:     name of the LAN interface (or bridge) where all the machines that need
#         IPv6 connectivity are connected
# SIXXS:  the name of the interface identifying the sixxs-tunnel
# PREFIX: The IPv6-Prefix of your network
IPT6="/usr/sbin/ip6tables"
IF="br-lan"
SIXXS="sixxs"
PREFIX="2001:1234:5678::/48"


#
# Host IP address definitions
#
# Here you can define all the ip addresses of hosts that need
# some kind of special configuration, like port forwarding.
# The default configuration is to allow all outgoing traffic
# and to disallow all incoming traffic including ICMP as such.
host_micron="2001:1234:5678:fefe:1234:5678:9abc:def0"


#
# All your custom rules should be placed inside the custom_rules() function
# below. This ensures that they are executed after all the default rules
# have been properly set.
#
custom_rules() {

        # Allow SSH access via port 22
        $IPT6 -A INPUT -i $SIXXS -p tcp --dport 22 -j ACCEPT

        # Allow Access to port 80 and 22 on micron
        #$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 80 -d $host_micron -j ACCEPT
        #$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 22 -d $host_micron -j ACCEPT

}


#######################################################################
### DO NOT EDIT BELOW THIS LINE UNLESS YOU KNOW WHAT YOU ARE DOING! ###
#######################################################################

# Clean old firewall rules
$IPT6 -F
$IPT6 -X

# Clean old iptables v6 tables
for chain in mangle filter; do
  $IPT6 -t $chain -F
  $IPT6 -t $chain -X
done

# Set IPv6 default chains (drop everything)
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP

# Allow already established transactions to pass without further checking
#$IPT6 -A INPUT -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A OUTPUT -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow everything on the local link
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT

# Allow the localnet to access the router
$IPT6 -A INPUT -i $IF -j ACCEPT
$IPT6 -A OUTPUT -o $IF -j ACCEPT

# Allow anything out on the internet
$IPT6 -A OUTPUT -o $SIXXS -j ACCEPT

# Filter all packets that have RH0 headers
#$IPT6 -A INPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A OUTPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A FORWARD -m rt --rt-type 0 -j DROP

# Allow ICMP from everywhere to router and hosts
# This still needs tweaking to disallow certain icmpv6 types (like ping)
# to reach hosts inside the subnet
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
$IPT6 -A OUTPUT -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -p icmpv6 -j ACCEPT


# Allow forwarding (outgoing)
$IPT6 -A FORWARD -m state --state NEW -i $IF -o $SIXXS -s $PREFIX -j ACCEPT
$IPT6 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Run custom rules defined above
custom_rules
Post #2
hnyman
13 May 2011, 10:22

The ip6tables config depends quite a lot from the Openwrt version you are running:

The current Backfire and Attitude Adjustment trunk versions have a dual-stack firewall, where your "default rules" are pretty much built-in and configurable from Luci interface, if necessary. So, you have unnecessary rules in the config, if you target running on current Backfire or Attitude Adjustment trunk.

Your default rules were needed for "firewall v1" used in Backfire until February 2011 (before r25353) and for running ancient releases like Whiterussian.

The "custom rules" are still needed even with the current versions for opening selected ports for forwarding.

Some pointers to earlier discussion on IPv6 firewall rules:
http://wiki.openwrt.org/doc/howto/ipv6# … .ip6tables
https://forum.openwrt.org/viewtopic.php?id=27541
https://forum.openwrt.org/viewtopic.php … 21#p127621

Post #3
jow
13 May 2011, 12:20
hnyman wrote:

The "custom rules" are still needed even with the current versions for opening selected ports for forwarding.

Whats wrong with that?

config rule
  option src wan6
  option dest lan
  option proto tcp
  option port 1234
  option target ACCEPT
  option family ipv6
Post #4
thefRont
13 May 2011, 12:36

Thank you hnyman for your info and links. I'll have a look at them.

I'm currently running Kamikaze 8.09.2 so I need to define default rules as there does not exist any standard configuration for ip6tables.

The discussion might have continued from here.