Do I need seperate iptables rule for ipv6 address?
Solution 1
iptables only filters IPv4 traffic. Rules setup in iptables will not touch ipv6 traffic and thus you should use ip6tables. At the very least you should set the tables rules to default drop. That way only traffic you have explicitly allowed will be available.
Solution 2
You want to look at ip6tables. HERE is a good short script that would demo some basics
Related videos on Youtube
Comments
-
Long Cheng over 1 year
On my debian 5.0 server, I setup some iptables rules like below:
ACCEPT tcp -- eee.fff.ggg.hhh aaa.bbb.ccc.ddd tcp dpt:80 DROP tcp -- 0.0.0.0/0 aaa.bbb.ccc.ddd tcp dpt:80
aaa.bbb.ccc.ddd is my server's ip address, and eee.fff.ggg.hhh is the other server which is the only one allowed to access the port. I noticed that there is inet6 addr setup on my server, and also netstat shows that apache2 is listening on tcp6 address:
tcp6 0 0 :::80 :::* LISTEN
Do I need seperate iptables rule for ipv6 address? If so, how can I do so? I know nothing about ipv6. Thanks! do I must do so? If I don't use ip6tables, will someone bypass the iptable rule and connect to my :80 port through ipv6 address?
-
Long Cheng over 14 yearshmm..my question is, do I must do so? If I don't use ip6tables, will someone bypass the iptable rule and connect to my :80 port through ipv6 address?
-
Marcin over 14 yearsDo you have IPv6 enabled by default? A lot of distros these days come with it enabled. If yes, then you definitely want to filter out IPv6 explicitly, as IPv6 has a lot of built in connectivity, even if you don't configure it.
-
0xC0000022L over 11 yearsIt would have been nicer to give a reason for the default drop, like Marcin did in a comment to his answer. Still +1.
-
Denys Vitali about 7 years@0xC0000022L Do you lock your house when you go out?
-
0xC0000022L about 7 yearsUhm @DenysVitali perhaps a little misunderstanding in that asking for a rationale isn't the same as disregarding or disapproving an advice?!