IPv6 Tables

Creating Firewall Rules with ip6tables

Conclusions and Outlook

In this article, I created a basic set of rules for an IPv6 firewall on which you can base a variety of additional rules specific to an environment.

Many rules apply to both worlds: IPv4 and IPv6. Although the basic configuration steps and the syntax in ip6tables for IPv6 remain similar to iptables for IPv4, you still need to consider some special cases in IPv6 that require individual handling – in particular, tunnel traffic and the ICMPv6 problem.

Even in a small environment, the ip6tables rules can become quite extensive. Thus, the question always arises as to whether the rules should be applied globally or to interfaces and subnets, or prefixes, or even individual hosts.

The more precisely you need the rules to filter your traffic, the more complex things become. One basic problem should be noted that is not specific to IPv6: A complex set of rules tends to give rise to administration errors. Sometimes less is more.

An aspect I have not addressed is the use of your own chains. It is usually desirable for the firewall to log what comes in and goes out and what was blocked. To do this, you create your own chains, which first log and then follow up an action – normally with DROP or ACCEPT. These filter rules are referenced by appropriate chains, which is like iptables with IPv4.

The Author

Eric Amberg has worked many years in the field of IT infrastructure as a trainer and consultant and has many years of project experience. His main focus is on networking topics. In his seminars, he places great emphasis on practical training. More information is available at http://www.atracon.de.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Advanced Security in Windows Firewall

    Windows Firewall with Advanced Security was introduced in Vista/Windows Server 2008. Compared with the old Windows Firewall, it offers many new features and possibilities.

  • Linux nftables packet filter
    The latest nftables packet filter implementation, now available in the Linux kernel, promises better performance and simpler syntax and operation.
  • Web and Mail Servers with IPv6

    If you run a web server and a mail server and anticipate that users from Asia will access your system, it’s time to get it ready for IPv6.

  • Access Anywhere with Mobile IPv6

    IPv6 includes Mobile IPv6, a new standard for communication with mobile devices, which ensures permanent accessibility regardless of your current location. In this article, we provide an overview of Mobile IPv6 functionality.

  • Accessibility wherever you are with Mobile IPv6
    IPv6 includes Mobile IPv6, a new standard for communication with mobile devices, which ensures permanent accessibility regardless of your current location. In this article, we provide an overview of Mobile IPv6 functionality.
comments powered by Disqus