« Previous 1 2 3 4
IPv6 Tables
Creating Firewall Rules with ip6tables
Conclusions and Outlook
In this article, I created a basic set of rules for an IPv6 firewall on which you can base a variety of additional rules specific to an environment.
Many rules apply to both worlds: IPv4 and IPv6. Although the basic configuration steps and the syntax in ip6tables
for IPv6 remain similar to iptables
for IPv4, you still need to consider some special cases in IPv6 that require individual handling – in particular, tunnel traffic and the ICMPv6 problem.
Even in a small environment, the ip6tables rules can become quite extensive. Thus, the question always arises as to whether the rules should be applied globally or to interfaces and subnets, or prefixes, or even individual hosts.
The more precisely you need the rules to filter your traffic, the more complex things become. One basic problem should be noted that is not specific to IPv6: A complex set of rules tends to give rise to administration errors. Sometimes less is more.
An aspect I have not addressed is the use of your own chains. It is usually desirable for the firewall to log what comes in and goes out and what was blocked. To do this, you create your own chains, which first log and then follow up an action – normally with DROP or ACCEPT. These filter rules are referenced by appropriate chains, which is like iptables
with IPv4.
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)