12 Jul
2010
12 Jul
'10
8:04 a.m.
I have a VPS with Bitfolk used as a web server/mail server. I'm running
Debian Lenny and I have iptables set up allowing ssh, www, imap, pop,
ntp etc only.
My question is what to do about firewalling ipv6 addresses. Andy's
Customer Documentation notes "those customers firewalling IPv4 will also
want to firewall (or disable) IPv6"
I see ip6tables is already installed with an empty rule set. Should I
be blocking all ipv6 traffic or setting up the same rules as for ipv4?
Also what about local traffic?
My iptables rules:
ACCEPT all -- lo any anywhere anywhere
ACCEPT all -- any any anywhere
anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssh
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:www
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:https
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:imaps
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:pop3s
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:smtp
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ntp
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:imap2
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssmtp
ACCEPT tcp -- any any anywhere
anywhere tcp dpt:pop3
DROP all -- any any anywhere anywhere
Thanks in advance. Martin
12 Jul
12 Jul
10:34 a.m.
Hi Martin,
On Mon, Jul 12, 2010 at 09:04:14AM +0100, Martin Halford wrote:
I have a VPS with Bitfolk used as a web server/mail
server. I'm running
Debian Lenny and I have iptables set up allowing ssh, www, imap, pop, ntp
etc only.
My question is what to do about firewalling ipv6 addresses. Andy's
Customer Documentation notes "those customers firewalling IPv4 will also
want to firewall (or disable) IPv6"
I see ip6tables is already installed with an empty rule set. Should I be
blocking all ipv6 traffic or setting up the same rules as for ipv4? Also
what about local traffic?
If you don't need anything to listen on IPv6 then you may as well
firewall it all off or disable IPv6.
If you do have things listening on IPv6 then you probably want
firewall it as you would IPv4.
There aren't currently any BitFolk things that talk to your VPS on
IPv6 so you should be safe firewalling it all off. Traffic from
inside your machine on IPv6 should go via the "lo" interface as for
IPv4 so just treat it the same.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
12:30 p.m.
On 12/07/10 11:34, Andy Smith wrote:
If you don't need anything to listen on IPv6 then
you may as well
firewall it all off or disable IPv6.
Thanks Andy,
I decided on firewalling and it doesn't seem to have had any adverse
effects!
ip6tables -vL
Chain INPUT (policy ACCEPT 88 packets, 8659 bytes)
pkts bytes target prot opt in out source
destination
6 576 DROP all any any anywhere
anywhere
Regards, Martin
12:50 p.m.
On 2010 July 12 Monday, Martin Halford wrote:
I decided on firewalling and it doesn't seem to
have had any adverse
effects!
ip6tables -vL
Chain INPUT (policy ACCEPT 88 packets, 8659 bytes)
pkts bytes target prot opt in out source
destination
6 576 DROP all any any anywhere
anywhere
There's nothing wrong with what you've done -- and in the absence of other
rules is functionally the same as what I am about to say, but a better
practice is to set the policy of each chain to "DROP" (at least for INPUT and
FORWARD chains) and then explicitly set what you will ACCEPT (this is true for
ip4 and ip6).
# flush any existing rules
ip6tables -F -X
# set policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Since the DROP isn't implemented with a rule, you don't have to worry about
inserting your ACCEPT rules before it, you can simply append and the policy
will take care of the DROP. For example:
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
This saves you the trouble of working out what number you should be passing to
a '-I' command.
Andy
--
Dr Andy Parkins
andyparkins(a)gmail.com
2:09 p.m.
On 12/07/10 13:50, Andy Parkins wrote:
There's nothing wrong with what you've done --
and in the absence of other
rules is functionally the same as what I am about to say, but a better
practice is to set the policy of each chain to "DROP" (at least for INPUT and
FORWARD chains) and then explicitly set what you will ACCEPT (this is true for
ip4 and ip6).
# flush any existing rules
ip6tables -F -X
# set policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Since the DROP isn't implemented with a rule, you don't have to worry about
inserting your ACCEPT rules before it, you can simply append and the policy
will take care of the DROP. For example:
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
This saves you the trouble of working out what number you should be passing to
a '-I' command.
Andy,
Thank you - I'll change both my iptables and ip6tables rules as you
recommend above. This was how I had it set up on my previous VPS, but I
went to a different guide this time.
Martin
5277
days inactive
5277
days old
4 comments
3 participants
participants (3)
-
Andy Parkins -
Andy Smith -
Martin Halford