• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Blocking All Incoming Packets from WAN->LAN

Started by wswartzendruber, January 21, 2011, 09:25:13 AM

Previous topic - Next topic

wswartzendruber

I have a Linksys WRT54G running OpenWrt.  I'm allowing all ICMPv6 to and from the WAN interface, but am blocking all packets from WAN to LAN that aren't part of an established connection or somehow related (like reply is to echo).

I'm told on irc.freenode.net#ipv6 that I'm not supposed to touch ICMPv6 at all, and that it needs to be unrestricted.  On the other hand, RFC4890 tells me that ICMPv6 should be filtered somewhat.

Here are my ip6tables:

#!/bin/sh /etc/rc.common
# Copyright (C) 2008 OpenWrt.org

START=46

# Variables
IPTABLES='/usr/sbin/ip6tables'
IF_LO='lo'
IF_LAN='br-lan'
IF_WAN='henet0'
IP_LAN='2001:470:1f05:1698::1'
IP_WAN='2001:470:1f04:1698::2'
NETMASK_LAN='2001:470:1f05:1698::/64'

start()
รค
# Setup some anal defaults
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# Global input rules
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Global output rules
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Global forwarding rules
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p tcp -m state --state NEW -m tcp ! --syn -j DROP

# Input/output rules for loopback
$IPTABLES -A INPUT -i $IF_LO -s ::1 -d ::1 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_LO -s ::1 -d ::1 -j ACCEPT

# Inbound LAN interface
$IPTABLES -A INPUT -i $IF_LAN -p icmpv6 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LAN -s $NETMASK_LAN -d $IP_LAN -j ACCEPT

# Inbound WAN interface
$IPTABLES -A INPUT -i $IF_WAN -s ::0/128 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::1/128 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::ffff:0:0/96 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s ::0/96 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s fe80::/10 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s fc00::/7 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s 2001:db8::/32 -j DROP
$IPTABLES -A INPUT -i $IF_WAN -s 2001:10::/28 -j DROP
$IPTABLES -A INPUT -i $IF_WAN ! -d $IP_WAN -j DROP
$IPTABLES -A INPUT -i $IF_WAN -p icmpv6 -j ACCEPT
$IPTABLES -A INPUT -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Outbound LAN interface
$IPTABLES -A OUTPUT -o $IF_LAN -p icmpv6 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_LAN -s $IP_LAN -d $NETMASK_LAN -j ACCEPT

# Outbound WAN interface
$IPTABLES -A OUTPUT -o $IF_WAN ! -s $IP_WAN -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/128 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::1/128 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::ffff:0:0/96 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d ::0/96 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d fe80::/10 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d fc00::/7 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:db8::/32 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -d 2001:10::/28 -j DROP
$IPTABLES -A OUTPUT -o $IF_WAN -j ACCEPT

# Forwarding rules for inbound global
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/128 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::1/128 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::ffff:0:0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s ::0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fe80::/10 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s fc00::/7 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:db8::/32 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -s 2001:10::/28 -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN ! -d $NETMASK_LAN -j DROP
$IPTABLES -A FORWARD -i $IF_WAN -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forwarding rules for outbound global
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/128 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::1/128 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::ffff:0:0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d ::0/96 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fe80::/10 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d fc00::/7 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:db8::/32 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -d 2001:10::/28 -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN ! -s $NETMASK_LAN -j DROP
$IPTABLES -A FORWARD -i $IF_LAN -o $IF_WAN -j ACCEPT
}

stop()
{
# Reset all tables.
$IPTABLES -F
$IPTABLES -t raw -F
$IPTABLES -t raw -X
$IPTABLES -X

# Allow all traffic.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}


I would appreciate any commentary I can get.

jimb

Unless I missed something, it looks like all ICMPv6 is filtered for the FORWARD chain, so no internal hosts will be able to do ICMPv6 w/ outside hosts unless the state tracking allows it.

wswartzendruber

Outbound ICMPv6 is allowed.  Connection tracking seems to be allowing ECHO REPLY back in when ECHO REQUEST is sent.

jrocha

I generally recommend not blocking ICMPv6 at all (as much of it is required for proper IPv6 transit), but do recommend putting limits on it. For example, with iptables:


ip6tables -A INPUT   -j ACCEPT  -p ipv6-icmp --match limit --limit 50/minute

antillie

I agree. ICMPv6 is critical to the proper operation of an IPv6 network and IPv6 inter network communication and transit. Filtering it out will only cause problems. Especially MTU related problems as much of the current IPv6 internet is going through tunnels over IPv4 and ICMPv6 is needed for path MTU discovery.

Blocking ICMP is IPv4 thinking. IPv6 is a different ball game all together.

Besides, when your local subnet contains 2^64 addresses a ping sweep just isn't practical. ;)