1e31 IPv6 firewall - Telecomix Crypto Munitions Bureau

IPv6 firewall

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

IPv6 firewalling in Linux is probably most often accessed/modified with ip6tables. You can copy parts of the following script that you like to your own firewall script. If you do not know how to set up firewalls in linux, TCMB recommend that you read iptables.

  • -i tun+ means that all TUN interface are affected by the rule. If you also use tun interfaces for other tasks, such as OpenVPN, you might need to limit this to just the tun interfaces that onioncat uses.
# set default policy to drop all packets that are not explicitly wanted
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# flush and clean all rules in default chains
ip6tables -F
ip6tables -Z

# accept everything that is sent to ipv6 loopback (allows talking with yourself)
ip6tables -A INPUT -i lo -j ACCEPT

# enables forwarding packets between the I2P and TOR onioncat networks 
# (you also need to uncomment the sysctl at the top)
#ip6tables -A FORWARD -i tun+ -d fd87:d87e:eb43::/48 -j ACCEPT
#ip6tables -A FORWARD -i tun+ -d fd60:db4d:ddb5::/48 -j ACCEPT

# allow icmp traffic to reach you (ping and more)
ip6tables -A INPUT -i tun0 --protocol ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i tun1 --protocol ipv6-icmp -j ACCEPT

# only allow well formed TCP handshakes
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow people to access SSH via the onioncat interfaces
ip6tables -A INPUT -i tun+ --protocol tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow people to send I2P traffic via the OnionCat interfaces, on top of I2P and TOR.
ip6tables -A INPUT -i tun+ --protocol udp --destination-port 8887 -j ACCEPT
ip6tables -A INPUT -i tun+ --protocol tcp --destination-port 8887 -m state --state NEW -j ACCEPT

# Allow packets that belong to sessions that has already been created to access the computers programs
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# sysctl -w net.ipv6.conf.all.forwarding=1    (if you like to allow forwarding ipv6 over onioncat to darknets)

[edit] netcat6

You can use netcat6 as a very simple ipv6 scanner. The one-liner below will search through the first 1024 ports of an ipv6 address. (Do not forget to chmod u+x it)

24;i++)) do nc6 $1 $i --idle-timeout=2; done
  • example: ./scan fd87:d87e:eb43:fb6c:b535:1c3b:3567:485a
    • Assumes the scripts name is scan
  • debian/ubuntu install: apt-get install netcat6

[edit] TODO

  • Is linux firewalls by default secured against strange packets? I do not think so. TCMB needs to explore how to setup rules for extension headers and differentiate between ICMP packets.
  • More research needs to be done on firewall fingerprinting.
Personal tools