IPv6 Iptables Rules
The increasing emergence of internet devices across the globe compelled an improvement of the number space, thus the development of the IPv6. In contrast to its predecessor IPV4, which has a certain number of sets of unique address spaces, IPV6 has virtually an uncountable number of sets of unique address spaces. This change is needed due to the ways in which firewalls are configured when having multiple addresses per device. This article aims to examine the best practices of IPv6 iptables implementations and analyze the strengths and weaknesses of the IPv6 firewall rules that need to be applied.
What are Iptables?
Iptables is a program designed for system administration that is used to configure the tables originally provided in the Linux kernel firewall or the chains and regulations they contain. Actually it is the default one and tends to be used more often for filtering IPv4 traffic while its IPv6 counterpart is called ip6tables. Some options have to be defined individually in both versions.
Installing iptables
Step 1: Enter the below command to install iptables.
sudo apt-get install iptables
Step 2: To make sure that your system supports IPv6, Enter the following command:
cat /proc/net/if_inet6
It is used to display the IPv6 interface statistics for all network interfaces on a Linux system.
If you see something like this, your system supports IPv6.
Step 3: The firewall chains are empty on a newly installed system, as the firewall script clears every chain on startup. To view the chains and rules, use the following command.
(-L to display rules in chains, -n to output IP ports and addresses in numeric format).
Structure of IPv6 firewall rules
sudo ip6tables -A [chain] [rule options] -j [target]
The -A option which has “append” as its shortened form is used to insert a new rule in the desired chain.
- [rule options]: This is where you need to describe, what happening in the row, that should trigger the rule.
- -j [target]: The -j option specifies the target for the rule, such as “ACCEPT” or “DROP.”
Let us understand through an example:
sudo ip6tables -A INPUT -s 2001:db8::/32 -p tcp --dport 22 -j ACCEPT
This rule will allow incoming TCP traffic on port 22 from any address in the 2001:db8::/32 subnet.
Now we can check that if the rule has been added to the list or not. Just enter the below command.
You can see in the above image that the rule has been added.
Step-By-Step Guide To add the Rules
Step 1: This rule permit any traffic arrived at the firewall from a network connection that is related or connected to an existing one. This is a common rule to allow incoming traffic for the particular connections currently actively connected such as SSH,HTTP etc while denying the new incoming connections.
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Step 2: This rule enable TCP connection on the SSH port (22) from the IPv6 address, so that firewall can accept . That is, only connections initiated by this particular host will be permitted to this SSH port while all other connections will be denied.
sudo ip6tables -A INPUT -p tcp --dport ssh -s HOST_IPV6_192.168.0.1 -j ACCEPT
Step 3: The first rule permits incoming TCP traffic from any external source to port number 80 (the default port for the HTTP service), and be accepted by the firewall; second rule lets incoming TCP traffic from any external source to port number 21 (the default port for the FTP service) and be accepted by the firewall; and third rule does the same to port number 25 (the default port for the SMTP service). Such rules are added to the INPUT chain (for incoming traffic) and checks whether or not the traffic is of TCP, and if it is of TCP, and has been directed to any of the aforementioned port numbers then the traffic should be accepted (-j ACCEPT).
sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
Step 4: Now let us view the rules we have added above.
sudo ip6tables -L -n --line-numbers
1. Inserting Rules
IP6tables rules are matched in sequence, and once a match is found, no other rules are evaluated. If you need to move your rules around or insert a new rule at a particular place, you can list the rules with the –line-numbers option first, then try this:
sudo ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT
As we can see below, a new rule has been inserted at number 2.
2. Deleting Rules
sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT
This command is used to remove a rule that allowed FTP access to the server, and was added just a moment before, so the server administrator can now remove the rule to also secure the server.
3. Making a New Chain
sudo ip6tables -N Zishan
This command will make a new chain named zishan.
You can see below the chain is created.
Removing a Chain
sudo ip6tables -X zishan
This command will remove the chain named zishan.
Examples of IPv6 Iptables Rules
1. Allow incoming SSH traffic from a specific IPv6 address:
sudo ip6tables -A INPUT -s 2001:0db8:85a3:0000:0000:8a2e:0370:7334 -p tcp --dport 22 -j ACCEPT
This is a rule that allows a particular user or system to connect via SSH to the servers through a specific IPv6 address. This rule is being appended to the end of the chain (specified by -A) meaning that this rule will be evaluated last, and it will overwrite any other previously defined rules.
2. Block all incoming traffic from a specific IPv6 address:
sudo ip6tables -A INPUT -s 2001:0db8:85a3:0000:0000:8a2e:0370:7334 -j DROP
This particular rule is likely being used to block a specific user (or system) from reaching this system from an IPv6 address. It’s being appended to the chain, which means it will be evaluated at the end of the list and subsequently override any rules that have been previously defined.
You can see below thae newly added rules at the end.
3. Allow all incoming traffic from a specific IPv6 network range
sudo ip6tables -A INPUT -s 2001:0db8:85a3::/48 -j ACCEPT
4. Block all incoming traffic on a specific port:
sudo ip6tables -A INPUT -p tcp --dport 80 -j DROP
Below images shows the added rule for blocking all incoming tcp traffic on port 80.
Conclusion
Alright, to wrap things up, this article gives you a complete rundown of IPv6 firewall rules using ip6tables. We’ve covered all the basics, including how to install ip6tables, check out the rules, and add new ones. We’ve also tackled the structure of IPv6 firewall rules, including chains, rules, and targets. On top of that, we’ve included examples on how to create rules for allowing or blocking specific traffic. For instance, you’ll find instructions on allowing incoming SSH traffic from a specific IPv6 address or blocking all incoming traffic from a particular IPv6 address.
IPv6 iptables Rules – FAQs
What’s the difference between IPv4 and IPv6?
IPv4 and IPv6 are two versions of the Internet Protocol (IP) that define how devices are addressed on a network. The key difference lies in their addressing capability:
- IPv4: Uses 32-bit addresses, limiting the total number of unique addresses to about 4.3 billion. This limitation has become a challenge due to the vast growth of internet-connected devices.
- IPv6: Employs 128-bit addresses, providing a virtually infinite amount of unique addresses – enough for every device on the planet, for the foreseeable future.
Can I use both IPv4 and IPv6?
Yes, many devices and networks can support both IPv4 and IPv6 simultaneously, also known as dual-stack. This allows for a smooth transition from IPv4 to IPv6 as the internet infrastructure upgrades.
When will IPv4 be completely replaced by IPv6?
There’s no exact timeline for a complete switch to IPv4. However, IPv6 adoption is steadily growing to address the limitations of IPv4. As more devices and internet service providers (ISPs) migrate to IPv6, it will become increasingly important for users to be familiar with it.