IP6TABLES FIREWALL RECOMMENDED CONFIGURATION ON UBUNTU LINUX
BY FREE LINUX2 MIN READADD COMMENT
Ip6tables is a firewall utility that uses policy chains to allow or block traffic. It can configure IPv6 tables, chains or rules provided by the Linux kernel firewall.
Some key things to consider:
1. Installation: (When installing iptables package, it will include the ip6tables)
apt install iptables<br>apt install iptables-persistent
2. Verify if iptables is enabled:
ip6tables -L -n -v
3. Flush iptables rules
ip6tables -F
4. When working remotely, it is recommended to allow incoming SSH or port 22 connections
ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.
apt purge nftables
apt purge ufw
ufw disable
6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:
IPv6: ::1/128
Apply the rules:
ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -s ::1 -j DROP
7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -m state --state NEW,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT ip6tables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
8. Allow only open ports that are needed
There are few ways to verify open or listening ports, e.g. using “ss” command
Sample Output:
root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 127.0.0.53%lo:53 *:*
udp UNCONN 0 0 10.0.2.15%enp0s3:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*
Execute this command to see the firewall rules
ip6tables -L INPUT -v -n
Syntax to allow open ports:
ip6tables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT
9. Default deny should be configured
The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.
ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP
-A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 26802 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p ipv6-icmp -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT COMMIT