IP6TABLES FIREWALL RECOMMENDED CONFIGURATION ON UBUNTU

IP6TABLES FIREWALL RECOMMENDED CONFIGURATION ON UBUNTU LINUX

BY FREE LINUX2 MIN READADD COMMENT

Ip6tables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv6 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation: (When installing iptables package, it will include the ip6tables)

apt install iptables<br>apt install iptables-persistent

2. Verify if iptables is enabled:

ip6tables -L -n -v

3. Flush iptables rules

ip6tables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.

apt purge nftables

apt purge ufw

ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv6: ::1/128

Apply the rules:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Execute this command to see the firewall rules

ip6tables -L INPUT -v -n

Syntax to allow open ports:

ip6tables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 26802 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-icmp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
0 0 投票数
Article Rating
订阅评论
提醒
guest

0 评论
最旧
最新 最多投票
内联反馈
查看所有评论
0
希望看到您的想法,请您发表评论x