Score:0

Network Security: Hardening IPv6 on Ubuntu Server?

tr flag

I am familiar with hardening IPv4 on Ubuntu server, but when I use the same rules for IPv6 with ip6tables, the IPv6 connectivity is lost resulting in Destination unreachable: Address unreachable errors during ping. Could you please advise on how to fix this issue? My logic is the following:

#IPv6
#Reset all rules (F) and chains (X)
ip6tables -F
ip6tables -X

#Force SYN packets check
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Drop XMAS packets
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop null packets
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Drop incoming packets with fragments
#ip6tables -A INPUT -f -j DROP #this does not really work like in iptables

#Drop traffic 
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP
#Keep established
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept loopback
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

#ICMP
ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

#ServiceX
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceY
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceZ
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
...

Example for ssh server, though I never use the default port 22...

#SSH
ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

The script is made executable, so it runs across reboots in /etc/init.d/scriptname. The idea is to block everything and allow only what is actually known to be used by the server services. Any better approach, please? Why this works in IPv4, but not in IPv6? When I issue ip6tables -t filter -P INPUT ACCEPT it works, but that's not the point. How do I really secure IPv6 on Ubuntu servers? Thanks!

in flag
Ipv6 works different than ipv4 in many aspects. Maybe you should learn ipv6 first.
tr flag
Mm-hmm... And where do I start? xD Like how is ip6tables that much different from iptables? Many say to use identical configuration from iptables, but it does not seem to work for me.
my flag
https://serverfault.com/questions/783807/ipv6-allow-incoming-icmp-echo-requests#comment990370_783807
tr flag
Thanks, @user951308 for pointing out, but I already allow ICMP. Updating question... Maybe something else needs to be specifically enabled instead of the entire INPUT direction?
tr flag
OK. Appears it should be ipv6-icmp instead of icmp. Thanks!
Score:0
tr flag
ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT

instead of

ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

solves it.

Score:0
cn flag

Based on IPv6 functionality, you need add some ACCEPT rules for ICMPv6, try these:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Router and neighbor discovery incoming and outgoing
ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Ping request to firewall from LAN and DMZ
ip6tables -A INPUT ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Ping request from firewall, LAN and DMZ
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT

I found this article very useful for myself: IPv6-Tables

tr flag
ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT and ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT solved it for me. Thanks! See my last comment on the question itself.
in flag
@lion great that you were able to solve it, but please accept the answer that helped you.
tr flag
It was in a comment above with a link. Appears it should be ipv6-icmp instead of icmp.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.