Do I need seperate iptables rule for ipv6 address?

linux firewall iptables ipv6
14,818

Solution 1

iptables only filters IPv4 traffic. Rules setup in iptables will not touch ipv6 traffic and thus you should use ip6tables. At the very least you should set the tables rules to default drop. That way only traffic you have explicitly allowed will be available.

Solution 2

You want to look at ip6tables. HERE is a good short script that would demo some basics

Share:
14,818

Related videos on Youtube

Long Cheng
Author by

Long Cheng

Nothing to see here.

Updated on September 17, 2022

Comments

  • Long Cheng
    Long Cheng over 1 year

    On my debian 5.0 server, I setup some iptables rules like below:

    ACCEPT     tcp  --  eee.fff.ggg.hhh      aaa.bbb.ccc.ddd     tcp dpt:80
DROP       tcp  --  0.0.0.0/0            aaa.bbb.ccc.ddd     tcp dpt:80

    aaa.bbb.ccc.ddd is my server's ip address, and eee.fff.ggg.hhh is the other server which is the only one allowed to access the port. I noticed that there is inet6 addr setup on my server, and also netstat shows that apache2 is listening on tcp6 address:

    tcp6       0      0 :::80                   :::*                    LISTEN

    Do I need seperate iptables rule for ipv6 address? If so, how can I do so? I know nothing about ipv6. Thanks! do I must do so? If I don't use ip6tables, will someone bypass the iptable rule and connect to my :80 port through ipv6 address?

  • Long Cheng
    Long Cheng over 14 years
    hmm..my question is, do I must do so? If I don't use ip6tables, will someone bypass the iptable rule and connect to my :80 port through ipv6 address?
  • Marcin
    Marcin over 14 years
    Do you have IPv6 enabled by default? A lot of distros these days come with it enabled. If yes, then you definitely want to filter out IPv6 explicitly, as IPv6 has a lot of built in connectivity, even if you don't configure it.
  • 0xC0000022L
    0xC0000022L over 11 years
    It would have been nicer to give a reason for the default drop, like Marcin did in a comment to his answer. Still +1.
  • Denys Vitali
    Denys Vitali about 7 years
    @0xC0000022L Do you lock your house when you go out?
  • 0xC0000022L
    0xC0000022L about 7 years
    Uhm @DenysVitali perhaps a little misunderstanding in that asking for a rationale isn't the same as disregarding or disapproving an advice?!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Managing parallel rules for ipv4 and ipv6 iptables?
How to allow an IP (ipv6) address using ufw?
What prevents a machine from responding to pings?
TCP connect: No route to host
Forwarding all incoming traffic on eth0 to go to eth1
How to use iptables to allow traffic only through ONE SPECIFIC VPN
blocking port 80 via iptables
How to use FQDN in firewall rules for GNU/Linux?
Redirect http using iptables for an ip range
iptables blocking from internet side on eth1?