Home / server / Questions / 497725
Accepted
Corey
Asked: 2013-04-10 10:14:48 +0800 CST

Configuring ufw or iptables to allow only outbound traffic to the Internet from an internal IPv6 network

  • 772

How do I configure ufw or iptables to allow only outbound traffic from an IPv6 network to the Internet?

I have an office network with a traditional NAT setup for IPv4. I would like to add a PC running Ubuntu to act as an IPv6 router utilizing a tunnel from Hurricane Electric.

I have everything setup and functioning properly. My internal computers are receiving global addresses from the Ubuntu box and are able to ping ipv6.google.com and browse ipv6test.google.com without any problems.

What I am not sure about, is how to configure a firewall to block incoming unsolicited traffic from the Internet to my internal network but allow outbound traffic to the Internet (and related return traffic).

Actual examples of ufw commands or iptables rules would be greatly appreciated.

root@ipv6router:/home/corey# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:08:a1:10:62:c0  
          inet addr:146.x.y.12  Bcast:146.x.y.15  Mask:255.255.255.240
          inet6 addr: fe80::208:a1ff:fe10:62c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:190487 errors:1 dropped:0 overruns:1 frame:1
          TX packets:40982 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:80088076 (80.0 MB)  TX bytes:6825762 (6.8 MB)

eth1      Link encap:Ethernet  HWaddr 00:1b:21:5b:f0:5b  
          inet addr:192.168.76.3  Bcast:192.168.76.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:fe5b:f05b/64 Scope:Link
          inet6 addr: 2001:x:1f07:z::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:90200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59894 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12839775 (12.8 MB)  TX bytes:70668474 (70.6 MB)

he-ipv6   Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::9273:130c/128 Scope:Link
          inet6 addr: 2001:x:1f06:z::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:56991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34362 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:69388394 (69.3 MB)  TX bytes:4537403 (4.5 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:13137 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13137 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:998616 (998.6 KB)  TX bytes:998616 (998.6 KB)

root@ipv6router:/home/corey# route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met  Ref Use If
2001:x:1f06:z::1/128           ::                         U    1024 0     1 he-ipv6
2001:x:1f06:z::/64             ::                         Un   256  0     0 he-ipv6
2001:x:1f07:z::/64             ::                         U    256  0     0 eth1
fe80::/64                      ::                         U    256  0     0 eth1
fe80::/64                      ::                         Un   256  0     0 he-ipv6
fe80::/64                      ::                         U    256  0     0 eth0
::/0                           2001:x:1f06:z::1           UG   1024 0     0 he-ipv6
::/0                           ::                         !n   -1   1 92337 lo
::1/128                        ::                         Un   0    1   412 lo
2001:x:1f06:z::/128            ::                         Un   0    1     0 lo
2001:x:1f06:z::2/128           ::                         Un   0    1   736 lo
2001:x:1f07:z::/128            ::                         Un   0    1     0 lo
2001:x:1f07:z::1/128           ::                         Un   0    1     0 lo
fe80::/128                     ::                         Un   0    1     0 lo
fe80::/128                     ::                         Un   0    1     0 lo
fe80::9273:130c/128            ::                         Un   0    1     0 lo
fe80::208:a1ff:fe10:62c0/128   ::                         Un   0    1     0 lo
fe80::21b:21ff:fe5b:f05b/128   ::                         Un   0    1  4611 lo
ff00::/8                       ::                         U    256  0     0 eth1
ff00::/8                       ::                         U    256  0     0 he-ipv6
ff00::/8                       ::                         U    256  0     0 eth0
::/0                           ::                         !n   -1   1 92337 lo
linux

1 Answers

  1. Best Answer

    Use the forward chain to add forwarding firewall rules.

    ip6tables -A FORWARD -i he-ipv6 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept already established connections (return traffic, for instance)
ip6tables -A FORWARD -i he-ipv6 -j DROP # Drop the rest
ip6tables -A FORWARD -o he-ipv6 -j ACCEPT # Accept outbound connections to the ipv6 tunnel
ip6tables -P FORWARD DROP # Set default policy on forward chain

    With this setup you'll need to add a few more rules to let the other interfaces route how you want, but it's gonna end up very similar to the above.

    • 1