IPv6 does away with NAT, which functions much like a firewall for internal networks with IPv4, even though it was not designed for that purpose. With IPv6, a dedicated firewall now needs to provide protection against attacks from the Internet and other networks. Linux has the ip6tables tool for this purpose. In this article, I develop a basic set of rules.

The underlying scenario for this article involves a DSL router with Linux (Figure 1), which is required on the one hand to protect internal systems from attacks from the Internet and, on the other hand, to provide access to an internal server connecting to a DMZ interface. The aim is to manage both the end-to-end IPv6 network traffic and to control access to the router itself.

Figure 1: The test scenario for the IPv6 firewall.

The router must be accessible for administrative purposes, at least using SSH and HTTPS, and it needs to act as a DNS server for the internal systems.

Since Linux kernel version 2.6.20, ip6tables has supported stateful inspection, wherein the firewall automatically assigns response packets to a communication channel and allows communication where appropriate. This function, which is now common on almost all firewall platforms, reduces both the scope and the complexity of the rules significantly.

ip6tables in Netfilter

On Linux systems, the Netfilter framework has established itself as a kernel-based firewall software. The iptables program is used to create IPv4 firewall and NAT rules for packet header manipulation.

However, iptables does not support IPv6; thus, the ip6_tables kernel module, which is configured using the ip6tables program, was added to the Netfilter framework. The ip6tables program behaves in much the same way as iptables, so hardened IPv4 veterans do not have to relearn the ropes completely.

On the other hand, the various new protocol components and communication types in IPv6 pose challenges for firewall administrators. In this article, I only address the IPv6 protocol, although, in reality, both protocols almost always need to be considered in the firewall configuration.

IPv6 Routing

An IPv6 network firewall mainly controls the traffic that passes through the system. Therefore, IPv6 routing must be activated up front. This is done with the command:

sysctl -w net.ipv6.conf.all.forwarding=1

This command can also be entered in the configuration file /etc/sysctl.conf (Figure 2). As a result, /proc/sys/net/ipv6/conf/all contains a 1, and this value enables IPv6 routing. If you want to disable it, enter a   instead.

Figure 2: Configuring IPv6 routing in the Linux kernel configuration.

What Is Important?

IPv6 comes with a completely separate protocol stack. In most cases, IPv6 is used in parallel with IPv4 in dual-stack operation. Here, the question arises whether the existing firewall should be supplemented with IPv6 rules or whether a new dedicated IPv6 firewall should be built to which all IPv6 traffic is routed. The advantage of a separate IPv6 firewall is independence from the IPv4 infrastructure. Thus, you could build your own, optimized IPv6 network infrastructure and eliminate the issues of a legacy IPv4 infrastructure. However, except in very few environments, this course of action is complex and not easy to realize.

The configuration of a mature IPv6 network firewall requires in-depth expertise of IPv6. Although simple rules can be generated with just a few lines, they also offer only limited security or functionality. Because the firewall is the only protection in IPv6 for access from the Internet, and administrators cannot rely on the protection mechanism of NAT as they did with IPv4, the firewall is of fundamental importance.

Another task is to configure anti-spoofing rules. Attackers can possibly work around firewall rules by spoofing permitted addresses, so you must ensure that only valid addresses communicate on the respective interfaces.

Furthermore, IPv6 uses a number of communication types that also need to be considered: above all, the various tunneling mechanisms such as 6to4, ISATAP, or Teredo. In these cases, IPv6 is tunneled in IPv4 packets and transmitted over the IPv4 network. This practice is often undesirable, leading to unnecessary risks and must therefore be eliminated.