LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-20-2010, 04:50 PM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
iptables and ip6tables - questions


I just discovered there is an ip6tables.

I had added this in iptables:
Code:
iptables -N AUTOBAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j AUTOBAN
iptables -A AUTOBAN -m recent --set --name SSH
iptables -A AUTOBAN -m recent --update --seconds 120 --hitcount 4 --name SSH -j DROP
so I figured I should add it to ip6tables. But I get an error:
Code:
[root@www ~]# ip6tables -A AUTOBAN -m recent --set --name SSH
ip6tables v1.3.5: Couldn't load match `recent':/lib64/iptables/libip6t_recent.so: cannot open shared object file: No such file or directory
How do I fix that??

Also - does it make sense to have both iptables and ip6tables running? If not, which should I stop?
 
Old 09-20-2010, 05:37 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
My personal take on this (unless you're a big corporate users) would
be to disable IPv6 all together, and turn ip6tables off if the modules
compiled for it don't match the ones for iptables on your distro.


Cheers,
Tink
 
Old 09-20-2010, 05:47 PM   #3
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
I've done a good deal of searching. I have gathered from my reading that IPv6 is a more up to date protocol than IPv4. Anyway, turning it off would be more than I dare to do. Host made clear to me when I got root password that we'd be charged if I broke anything and they had to fix it.

I still have question - is there harm in running both ip6tables and iptables? And why doesn't ip6tables like 'match'?
 
Old 09-20-2010, 06:57 PM   #4
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,117
Blog Entries: 2

Rep: Reputation: 113Reputation: 113
Shouldn't be any harm and the error your getting is because recent in your iptables version doesn't support ipv6, I don't know if in later versions it does.
 
Old 09-20-2010, 07:18 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by Tinkster View Post
My personal take on this (unless you're a big corporate users) would
be to disable IPv6 all together, and turn ip6tables off if the modules
compiled for it don't match the ones for iptables on your distro.
+1 from me. If you aren't using it then there's no reason to have it.
 
Old 09-20-2010, 07:41 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by estabroo View Post
Shouldn't be any harm and the error your getting is because recent in your iptables version doesn't support ipv6, I don't know if in later versions it does.
That would mean that in his install iptables and ip6tables
are seriously out of whack?

To the OP: what distro are you running?

Also, to determine whether or not you're using IPv6, just
check with a
netstat -an
whether there are active connections with IPv6 or not.

If there aren't any (or if they'd fall back to IPv4)
it's pretty safe to turn it off for now.


Cheers,
Tink
 
Old 09-20-2010, 08:32 PM   #7
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Running CentOS 5.5 64-bit. Very fast, no performance issues at all. It is just a security concern to add those lines to ip6tables, to cut down the length of dictionary attacks on SSH.

I can't tell from netstat whether IPv6 is running.
Quite a long list, here is some of it:
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2222                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2223                0.0.0.0:*                   LISTEN
tcp        0      0 75.127.110.25:80            72.27.204.73:10036          SYN_RECV
tcp        0      0 10.2.1.3:53                 0.0.0.0:*                   LISTEN
tcp        0      0 75.127.110.25:53            0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN
tcp        0      0 75.127.110.25:47484         75.127.110.25:22            ESTABLISHED
tcp        0      0 75.127.110.25:2222          69.73.19.51:44519           TIME_WAIT
tcp        0      0 :::80                       :::*                        LISTEN
tcp        0      0 :::21                       :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 :::443                      :::*                        LISTEN
tcp        0      0 ::ffff:75.127.110.25:80     ::ffff:212.113.35.162:47357 TIME_WAIT
tcp        0      0 ::ffff:75.127.110.25:80     ::ffff:76.126.219.194:54121 TIME_WAIT
 
Old 09-20-2010, 09:37 PM   #8
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
The packages are
Code:
iptables.x86_64                            1.3.5-5.3.el5_4.1           installed
iptables-ipv6.x86_64                       1.3.5-5.3.el5_4.1           installed
Quote:
Shouldn't be any harm and the error your getting is because recent in your iptables version doesn't support ipv6, I don't know if in later versions it does.
Not sure what you meant? Yum doesn't find any package named 'recent'.

Do I actually need the '-m recent' in thee lines?
Code:
ip6tables -A AUTOBAN -m recent --set --name SSH
iptables -A AUTOBAN -m recent --update --seconds 120 --hitcount 4 --name SSH -j DROP
Is there an equivalent expression I could use?
 
Old 09-20-2010, 11:39 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Let's put it that way: the rules won't match, which I (w/o further investigation)
would consider problematic.

As for IPv6: no established connections; you can spot IPv6 by the two leading
colons in an IP address, e.g.: "::ffff:75.127.110.25:80" ...

If you run
netstat -anp
you can see which program is listening on that port, and if it's listening
on both IPv4 and 6 addresses I'd say it's safe to turn IPv6 off.



Cheers,
Tink
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall script ( iptables, hosts, arp, ip6tables, portsentry, and tripwire) mrmnemo Linux - Networking 28 12-12-2009 08:43 PM
ip6tables question Thaidog Linux - Security 5 09-28-2009 04:52 PM
iptables and ip6tables MicahCarrick Linux - Software 2 12-31-2006 11:35 AM
iptables vs. ip6tables q14526 Linux - Security 3 09-29-2006 05:15 PM
iptables and/or ip6tables? DropHit Linux - Software 0 02-18-2004 03:40 PM


All times are GMT -5. The time now is 06:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration