Posted: Mon May 28, 2012 17:31 Post subject: How do I secure my computers on the IPV6 network
I have setup tunnelbroker etc. I have IPV6 running fine. But now I just want to secure my whole network up. I don't really want to have a hard out firewall on every computer in the house so is there something I could use to prevent ipv6 from the outside talking to my computers
You'll have to manually configure a firewall, using ip6tables.
As a starting point, check the IPv6 guide on my website (http://www.lostrealm.ca/tower/node/81). While targeted at the Asus RT-N66U, I was originally using those rules on an E2000 running DD-WRT. Replace v6in4 with whatever interface DD-WRT uses for the tunnel (I can't remember what it was).
I'm running a E2000. Okay so if I set the iptables up how do i remove them if I want to later
iptables entries have to be manually re-entered every time you reboot. Put your rules in the firewall script that can be edited on DD-WRT's web interface. That way they will get re-applied every reboot. Just removing those entries from the firewall script and rebooting will bring you back to the default values.
Note that you will need some basic iptables knowledge to be able to implement it. If you have never played with iptables before you might want to look for an already pre-configured set of rules specifically made for DD-WRT instead, as my example isn't directly usable anymore under DD-WRT.
Posted: Fri Jun 08, 2012 10:03 Post subject: IP Tables firewall
Is there any good tutorials for building dd-wrt firewall with IP Tables. I don't want to override any other previous settings.
All I want to do is block computers from accessing my computers ports. I want to close all computer ports on ipv6 address on network by default. But then rules to specify which ports should open to specific pc.
Could someone link me to some stuff that might teach me thanks
Okay so I have followed through. I'm using a Linksys E2000.
So I have to install IPv6 modules etc. My process below
1) GUI: Services/Services
enable SSHd
2) GUI: Administration/Management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting
3) ssh to router then created the directory to place the modules
Code:
mkdir -p /jffs/lib/modules/2.6.24.111/
4) download & extract LazyTom's precompiled 2.6.24.111 ip6tables kernel modules for brcm47xx routers and get those .ko files into the /jffs/lib/modules/2.6.24.111/ directory. How it's done is up to individual tastes; I chose to download to my desktop, then extract and then do an SCP from the desktop:
Code:
Copied the module files "ip6_tables.ko, ip6table_filter, nf_conntrack_ipv6.ko" to /jffs/lib/modules/2.6.24.111 directory via SCP.
Are these modules only required or do I need to add some additional ones?
6) Back on the router, I downloaded and installed the iptables program from the 8.02 open-wrt brcm47xx compiled packages
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking kmod-ip6tables...Done.
Configuring kmod-ip6tables.../jffs/usr/lib/ipkg/info/kmod-ip6tables.postinst: .: line 3: can't open /etc/functions.sh
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/ip6tables_1.4.0-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking ip6tables...ipkg_install_file: ERROR unpacking data.tar.gz from /jffs/tmp/ipkg/ip6tables_1.4.0-1_mipsel.ipk
root@Linksys:~#
7) Added the following above tunnelbroker start-up script
# set default policy
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
9) Rebooted the router and then ran these testing procedures
Tried the following test
Those were unable to see that I have ipv6 so the security is pretty high however to make sure that I actually have ipv6 working I tried a proper test. See below log of pinging Facebook and Google site over IPv6.
Code:
Pinging facebook.com [2a03:2880:10:1f02:face:b00c:0:25] with 32 bytes of data:
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=229ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=228ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=227ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=228ms
Ping statistics for 2a03:2880:10:1f02:face:b00c:0:25:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 227ms, Maximum = 229ms, Average = 228ms
Pinging google.com [2404:6800:4006:804::1003] with 32 bytes of data:
Reply from 2404:6800:4006:804::1003: time=421ms
Reply from 2404:6800:4006:804::1003: time=419ms
Reply from 2404:6800:4006:804::1003: time=420ms
Reply from 2404:6800:4006:804::1003: time=421ms
Ping statistics for 2404:6800:4006:804::1003:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 419ms, Maximum = 421ms, Average = 420ms
I also tested the ip6tables script is working by changing the script to the following...
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
This allowed me to test and verify that IPv6 address is working over the internet and that ip6tables is working correctly.
I tested with the IPv6 test sites again and now they work since I changed the ip6table script to allow the test sites to communicate with my PC.
Could someone please let me know if this is all working correctly and tell me why I'm getting those errors when installing those packages over the command. And were my testing methods correct.
Thank you.
I hope I have helped others in the process my logging and documenting the things I did.
Whats next... Well now its opening specific ports for servers and having all other incoming communication blocked
Could someone please write me a ip6table script that will work with online ipv6 test but also block my computers from random incoming connections
Posted: Mon Jul 02, 2012 21:06 Post subject: My final script seems perfect
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker
Code:
# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT
#Allow Specific Port on specific ipv6 address in network
ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT
This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled.
1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)
Posted: Sat Jul 28, 2012 20:44 Post subject: Were to find a dd-wrt with kernel 2.6?
I've been studying on this for several days. The latest useable dd-wrt I can find is dd-wrt.v24-15230_VINT_std-nokaid_nohotspot_nostor. It has kernel 2.4.35 yet you seem to be using kernel 2.6 modules. Where can I find more recent versions? I've got an old WRT54GS with 8megs of flash, I want to use the std-nokaid_nohotspot_nostor because it leaves me some room in /jffs. My whole reason for any ot this is to set up an IVv6 network through Hurricane Electric. So you see, I need the IPv6 modules and a kernel that matches them.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sun Jul 29, 2012 17:05 Post subject: Re: Were to find a dd-wrt with kernel 2.6?
mtcstle wrote:
I've been studying on this for several days. The latest useable dd-wrt I can find is dd-wrt.v24-15230_VINT_std-nokaid_nohotspot_nostor. It has kernel 2.4.35 yet you seem to be using kernel 2.6 modules. Where can I find more recent versions? I've got an old WRT54GS with 8megs of flash, I want to use the std-nokaid_nohotspot_nostor because it leaves me some room in /jffs. My whole reason for any ot this is to set up an IVv6 network through Hurricane Electric. So you see, I need the IPv6 modules and a kernel that matches them.
All advice greatfully accepted.
mtcstle
You need to check the "Peacock" thread (see my signature) that is listed in this section of the forum in the "Announcements". _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Posted: Mon Jul 30, 2012 2:15 Post subject: Choice of versions for WRT54Gs, VINT, generic, or K26
Thanks for your reply. It seems that newer K62 firmware might brick this old router but older ones might not. What is newer and what is older, is not clear. To be safe, I'll probably stay with the 2.4 based v24-sp2 (08/12/10) std-nokaid (SVN revision 14929) bin I've got. But did I not read that K42 firmwares had limited iptables filtering capability? It took two days to find the K42 modules.