Network Security: Hardening IPv6 on Ubuntu Server?

Question

I am familiar with hardening IPv4 on Ubuntu server, but when I use the same rules for IPv6 with ip6tables, the IPv6 connectivity is lost resulting in Destination unreachable: Address unreachable errors during ping. Could you please advise on how to fix this issue? My logic is the following:

#IPv6
#Reset all rules (F) and chains (X)
ip6tables -F
ip6tables -X
#Force SYN packets check
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Drop XMAS packets
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop null packets
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Drop incoming packets with fragments
#ip6tables -A INPUT -f -j DROP #this does not really work like in iptables
#Drop traffic 
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP
#Keep established
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept loopback
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
#ICMP
ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT
#ServiceX
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceY
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceZ
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
...

Example for ssh server, though I never use the default port 22...

#SSH
ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

The script is made executable, so it runs across reboots in /etc/init.d/scriptname. The idea is to block everything and allow only what is actually known to be used by the server services. Any better approach, please? Why this works in IPv4, but not in IPv6? When I issue ip6tables -t filter -P INPUT ACCEPT it works, but that's not the point. How do I really secure IPv6 on Ubuntu servers? Thanks!

score 0 · Answer 1 · answered Jan 22 '22 at 18:06

Based on IPv6 functionality, you need add some ACCEPT rules for ICMPv6, try these:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Router and neighbor discovery incoming and outgoing
ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Ping request to firewall from LAN and DMZ
ip6tables -A INPUT ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Ping request from firewall, LAN and DMZ
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT

I found this article very useful for myself: IPv6-Tables

score 0 · Answer 2 · answered Jan 25 '22 at 07:27

0

ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT

instead of

ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

solves it.

answered Jan 25 '22 at 07:27

lion

23

Network Security: Hardening IPv6 on Ubuntu Server?

2 Answers2