Lead Image © gepard1979, 123RF.com

Lead Image © gepard1979, 123RF.com

IPv6 Tables

Creating Firewall Rules with ip6tables

Article from ADMIN 20/2014
By
We design a basic set of ip6tables rules for an IPv6 firewall.

IPv6 does away with NAT, which functions much like a firewall for internal networks with IPv4, even though it was not designed for that purpose. With IPv6, a dedicated firewall now needs to provide protection against attacks from the Internet and other networks. Linux has the ip6tables tool for this purpose. In this article, I develop a basic set of rules.

The underlying scenario for this article involves a DSL router with Linux (Figure 1), which is required on the one hand to protect internal systems from attacks from the Internet and, on the other hand, to provide access to an internal server connecting to a DMZ interface. The aim is to manage both the end-to-end IPv6 network traffic and to control access to the router itself.

Figure 1: The test scenario for the IPv6 firewall.

The router must be accessible for administrative purposes, at least using SSH and HTTPS, and it needs to act as a DNS server for the internal systems.

Since Linux kernel version 2.6.20, ip6tables has supported stateful inspection, wherein the firewall automatically assigns response packets to a communication channel and allows communication where appropriate. This function, which is now common on almost all firewall platforms, reduces both the scope and the complexity of the rules significantly.

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Advanced Security in Windows Firewall

    Windows Firewall with Advanced Security was introduced in Vista/Windows Server 2008. Compared with the old Windows Firewall, it offers many new features and possibilities.

    more »
  • Web and Mail Servers with IPv6

    If you run a web server and a mail server and anticipate that users from Asia will access your system, it’s time to get it ready for IPv6.

    more »
  • Lead Image © alphaspirit, 123RF.com
    Linux nftables packet filter
    The latest nftables packet filter implementation, now available in the Linux kernel, promises better performance and simpler syntax and operation.
    more »
  • Lead Image © Suzanne Tucker, 123RF.com
    Monitoring IPv6 with Wireshark
    Although IPv6 is still waiting for its big breakthrough, on many networks, admins can no longer avoid it. Luckily, the free Wireshark tool can provide valuable error analysis.
    more »
  • Access Anywhere with Mobile IPv6

    IPv6 includes Mobile IPv6, a new standard for communication with mobile devices, which ensures permanent accessibility regardless of your current location. In this article, we provide an overview of Mobile IPv6 functionality.

    more »
comments powered by Disqus