Ubuntu – Do I also need to set up another iptables rules for ipv6 if I just used iptables

iptables

Say I have a firewall setup on my linux server with iptables so that I only accept port 22 and port 80 traffic and I block access to all other ports.

Do these rules only work if the client machine is using a IPv4 address? So if an ipv6 address is used, the client can access ports I don't want them to? (ie ports other than port 22 and port 80)

Best Answer

iptables works for IPv4, but not IPv6. ip6tables is the equivalent IPv6 firewall, and is installed with iptables.

Ultimately, though, iptables is for IPv4 connections, ip6tables is for IPv6 connections. If you want your iptables rules to also apply to IPv6, you have to add them to ip6tables as well.

If you try and replicate your iptables ruleset in ip6tables, not all the rules that iptables can do will port over neatly to ip6tables, but most of them will.

Refer to the manpage for ip6tables if you want to make sure the commands that you use in your iptables will neatly port over.

If you'd like, we can help you create equivalent ip6tables rulesets to match your iptables rules, if you provide your firewall rules list (removing any information that could identify the system of coruse). Otherwise, we can only answer your general question.

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

When you send a HTTP request to the other server, you're using TCP. First, a SYN packet go outside to the other server from a random high port, then you'll receive a ACK response. Finally you send SYN/ACK to the server and the server responds with the requested document (in multiple packets). Your rules do not allow the ACK packet to be received and therefore the connection cannot be established. Add a rule like:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't get iptables logs for free. Your rules should look like:

# if no rule matched, the input should be dropped
-P INPUT DROP

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# etc

# the limit prevents your logs from being flooded if there are a lot packets being captured
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied" --log-level debug

Note that I've omitted iptables before the commands, I recommend using iptables-restore (or iptables-apply for testing) to avoid locking yourself out if a rule fails to apply. The file to be passed to the command looks like:

*FILTER
# your rules here, for example:
-P INPUT DROP
-P INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

A newline after the COMMIT line is mandatory.

By default, the entries go to /var/log/kern.log. Not good if you want to differentiate between kernel and iptables messages, so create a filter for rsyslog in /etc/rsyslog.d/iptables.conf containing:

:msg,contains,"iptables denied" /var/log/iptables.log
& ~

This will filter iptables errors and send those to /var/log/iptables.log.

Best Answer

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

Related Question