IPv6 firewall
From Telecomix Crypto Munitions Bureau
IPv6 firewalling in Linux is probably most often accessed/modified with ip6tables. You can copy parts of the following script that you like to your own firewall script. If you do not know how to set up firewalls in linux, TCMB recommend that you read iptables.
- -i tun+ means that all TUN interface are affected by the rule. If you also use tun interfaces for other tasks, such as OpenVPN, you might need to limit this to just the tun interfaces that onioncat uses.
# set default policy to drop all packets that are not explicitly wanted ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT # flush and clean all rules in default chains ip6tables -F ip6tables -Z # accept everything that is sent to ipv6 loopback (allows talking with yourself) ip6tables -A INPUT -i lo -j ACCEPT # enables forwarding packets between the I2P and TOR onioncat networks # (you also need to uncomment the sysctl at the top) #ip6tables -A FORWARD -i tun+ -d fd87:d87e:eb43::/48 -j ACCEPT #ip6tables -A FORWARD -i tun+ -d fd60:db4d:ddb5::/48 -j ACCEPT # allow icmp traffic to reach you (ping and more) ip6tables -A INPUT -i tun0 --protocol ipv6-icmp -j ACCEPT ip6tables -A INPUT -i tun1 --protocol ipv6-icmp -j ACCEPT # only allow well formed TCP handshakes ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Allow people to access SSH via the onioncat interfaces ip6tables -A INPUT -i tun+ --protocol tcp --destination-port 22 -m state --state NEW -j ACCEPT # Allow people to send I2P traffic via the OnionCat interfaces, on top of I2P and TOR. ip6tables -A INPUT -i tun+ --protocol udp --destination-port 8887 -j ACCEPT ip6tables -A INPUT -i tun+ --protocol tcp --destination-port 8887 -m state --state NEW -j ACCEPT # Allow packets that belong to sessions that has already been created to access the computers programs ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # sysctl -w net.ipv6.conf.all.forwarding=1 (if you like to allow forwarding ipv6 over onioncat to darknets)
[edit] netcat6
You can use netcat6 as a very simple ipv6 scanner. The one-liner below will search through the first 1024 ports of an ipv6 address. (Do not forget to chmod u+x it)
#!/bin/sh for((i=0;i!=10 1bb5 24;i++)) do nc6 $1 $i --idle-timeout=2; done
- example: ./scan fd87:d87e:eb43:fb6c:b535:1c3b:3567:485a
- Assumes the scripts name is scan
- debian/ubuntu install: apt-get install netcat6
[edit] TODO
- Is linux firewalls by default secured against strange packets? I do not think so. TCMB needs to explore how to setup rules for extension headers and differentiate between ICMP packets.
- More research needs to be done on firewall fingerprinting.