LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-03-2014, 05:45 AM   #1
canadiandude007
LQ Newbie
 
Registered: Feb 2006
Location: UK
Distribution: Ubuntu
Posts: 2

Rep: Reputation: 0
ufw / iptables for IPv6 connections - Linux Mint 17 (linux 3.13.0-24)


Hello,

I am using Linux Mint 17 and the uname reports:
3.13.0-24-generic #47-Ubuntu SMP

I am using ufw to configure iptables and have the following listed for my firewall:
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:mdns
DROP       tcp  --  anywhere             anywhere             tcp dpt:5900
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       udp  --  anywhere             anywhere             udp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:smtp
DROP       tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             multiport dports netbios-ns,netbios-dgm
DROP       tcp  --  anywhere             anywhere             tcp dpt:pop3
DROP       udp  --  anywhere             anywhere             udp dpt:pop3
DROP       tcp  --  anywhere             anywhere             tcp dpt:nfs
DROP       udp  --  anywhere             anywhere             udp dpt:nfs
DROP       tcp  --  anywhere             anywhere             tcp dpt:imap2
DROP       udp  --  anywhere             anywhere             udp dpt:imap2
DROP       tcp  --  anywhere             anywhere             tcp dpt:ftp

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             multiport dports tcpmux:chargen
DROP       udp  --  anywhere             anywhere             multiport dports 1:chargen
DROP       tcp  --  anywhere             anywhere             multiport dports ssh:52
DROP       udp  --  anywhere             anywhere             multiport dports ssh:52
DROP       tcp  --  anywhere             anywhere             multiport dports 54:finger
DROP       tcp  --  anywhere             anywhere             multiport dports 81:122
DROP       udp  --  anywhere             anywhere             multiport dports 81:122
DROP       tcp  --  anywhere             anywhere             multiport dports 124:442
DROP       udp  --  anywhere             anywhere             multiport dports 124:442
DROP       tcp  --  anywhere             anywhere             multiport dports snpp:65535
DROP       udp  --  anywhere             anywhere             multiport dports snpp:65535
Which I believe locks down most ports and traffic to just what I would normally use (internet browsers, for example). However I am unclear as to how ipv6 connections can (or should) be blocked or allowed. Not that I anticipate that much ipv6 traffic but it would be useful to know how to do that.

Thanks to all who reply.
Bill
 
Old 09-03-2014, 08:10 PM   #2
solarisguy
Member
 
Registered: Aug 2010
Location: Seattle
Distribution: CentOS, RHEL, Oracle Enterprise Linux, Solaris, BSD
Posts: 64

Rep: Reputation: 21
For IPv6 firewalls, you'll generally want to allow any traffic originating in the trusted network. On the interface(s) facing untrusted networks, you'll want to permit RELATED and ESTABLISHED connections, and deny all others, for forward rules.

For DHCP, you'll need UDP 546,547 and ICMPv6 is always a good idea for path MTU discovery.
 
  


Reply

Tags
iptables, iptables firewall block, linux mint


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Mint, ssh, iptables nerdofdarkness Linux - Security 1 06-29-2014 11:46 PM
LXer: How to replace Ufw with Firewalld in Linux Mint 15 LXer Syndicated Linux News 0 06-28-2013 02:50 AM
Disable Linux Applications defaulting to IPv6 when making outgoing connections. markings Linux - General 3 02-26-2012 03:42 PM
LXer: ufw - Iptables under Ubuntu LXer Syndicated Linux News 0 06-18-2011 05:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration