
Linux: Limit IPv6 connectivity to specific programs - DarkPlayer
http://fds-team.de/cms/articles/2013-06/linux-limit-ipv6-connectivity-to-specific-programs.html
======
Tomdarkness
> "The main problem is to secure an IPv6 network which is much more
> complicated than using a typical IPv4 network consisting of a router and
> several devices behind it."

Does anyone know why this is the case? I'm not a network security expert but
to me I don't see how IPv4/v6 makes a different in terms of security. I'd
assume that each computer on the network could most likely be assigned a
public IPv6 address rather than using NAT in which case how is configuring
your perimeter firewall to drop incoming connections by default any different
from not having any port forwarding setup by default? Even your average
domestic router has some sort of basic firewall built in.

~~~
IgorPartola
There is nothing special about firewalling off IPv6. NAT is not a security
feature. The problem is that most consumer "routers" that people use nowadays
are really: a router, a switch, a wireless access point, a firewall, and who
knows what else. Here are some sample rules for firewalling off IPv4 (typed
from memory, so use with caution):

    
    
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
      iptables -A INPUT -p icmp -j ACCEPT
      iptables -A INPUT -j DROP
      
      iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
      iptables -A FORWARD -p icmp -j ACCEPT
      iptables -A FORWARD -j DROP
    

Here are the IPv6 rules:

    
    
      ip6tables -A INPUT -i lo -j ACCEPT
      ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      ip6tables -A INPUT -s 2001:xx:xx:xx::/64 -j ACCEPT
      ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
      ip6tables -A INPUT -j DROP
      
      ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      ip6tables -A FORWARD -s 2001:xx:xx:xx::/64 -j ACCEPT
      ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
      ip6tables -A FORWARD -j DROP
    

Does that look like it would be hard to do? Your router should come with these
rules already. If it does not, ditch it and buy one that is supported by
OpenWRT, where IPv6 support is not a second class citizen.

Edit: Naturally, IPv4 rules would have to be more complicated since you'll
want to have your NAT setup in there. In this way, configuring IPv6 is
actually easier :). Also, a real router would have rules set up for throttling
certain types of traffic (e.g.: you don't want more than, say, 1000 ICMP
messages per second). However, all those steps are identical for IPv6.

~~~
noja
> NAT is not a security feature.

Why?

~~~
GauntletWizard
Because it was never intended as such and does not necessarily need to add
any. The fact that many NAT implementations do add some security (by dropping
inbound connections by default) is a side effect. I've seen NAT
implementations that get it precisely wrong (consumer routers that set up .2
as the default DMZ), but that's still entirely valid.

~~~
noja
Whether or not NAT was designed with security in mind doesn't matter.

Using NAT increases security simply by having deny by default.

~~~
vy8vWJlco
But that is not a feature of NAT, that is a feature of a firewall (for
example, it is possible to route incoming packets via the WAN as well as
masquerade outgoing ones from the LAN - most people wouldn't even know their
pants are down). It is a coincidence that home routers sometimes provide both
leading people to conflate their firewall with their NAT system - but if a
firewall is what is wanted (and is arguably the only valuable component), NAT
is not the thing to ask for. Conflating NAT with firewalls also promotes the
idea that NAT has a place in any network with abundant addresses. IMHO, it
does not.

~~~
nitrogen
NAT will always have a place, because not everyone wants to expose a uniquely
routable address for every device they own (probably based on a device's MAC
address) to the world.

~~~
vy8vWJlco
Can you give an example that isn't based on security (since the NAT isn't
providing that)? I can only think of short-term (undesirable) transition or
load-balancing mechanisms - all of which have better long-term solutions
(anycast, multicast, and dynamic service discovery, etc)...

~~~
nitrogen
What's with the widespread fixation against attributing any positive security
attributes to Network Address Translation? It's like the old warning about NAT
not being enough to protect a private network got cargo culted into a
universal anti-NAT maxim.

What would you call it when a router at the edge of a private network presents
a single IP to the world no matter how many devices are behind it, for privacy
reasons?

~~~
vy8vWJlco
_" What's with the widespread fixation against attributing any positive
security attributes to Network Address Translation"_

It probably has something to do with NAT being a huge obstacle later, when
needs change. For example, while it might make sense at one point to have
multiple hosts appear as one, it is at the expense of direct addressability,
and the workaround - having a unique address+port combination - makes less
sense than having a unique directly-routable address.

 _" What would you call it when a router at the edge of a private network
presents a single IP to the world no matter how many devices are behind it,
for privacy reasons?"_

The wrong tool for the job. :)

The privacy is gained not by translation but by blocking direct connections
(which is a feature of a firewall - not of NAT). While there is some value in
NAT's ability to falsify the origin of data - ie, to take credit for non-local
flows - but if those applications ever grow they will be fighting to escape
the single address of NAT and are thus only suitable in the short term.
Ideally, NAT would go unused because every element is uniquely addressable and
fully independent... Most people would not consider someone else who
continually takes credit for their or someone else's work to be a feature, and
so it is with NAT.

~~~
nitrogen
I'm thinking more in terms of consumer networks. I really don't want my ISP to
know exactly which devices I'm using or how many, nor do I want to have every
web site be able to track them by globally routable IPv6 address everywhere I
go. Simply blocking incoming connections doesn't solve that.

Taking credit for someone else's work is not a useful analogy for NAT, nor are
the corresponding moral implications relevant.

~~~
vy8vWJlco
_" nor do I want to have every web site be able to track them by globally
routable IPv6 address everywhere I go."_

So, you would rather use one address for everything, making it easy as pie to
track you? You can pretty much pick IPv6 addresses at random (under your
router prefix), and you have (many many many) more addresses than the whole
IPv4 address space to choose from (it's a 128 bit address space and providers
typically give a /48, /56, or /64 prefix at worst... that's 128-64=64 bits...
that's 2^63.9999... more addresses than IPv4). In short, you don't really
"map" the IPv6 space the same way you do the IPv4 space.

Taking credit for someone else's work very much is a useful analogy: if I can
only speak through a third party, and I need that third party's permission to
speak, let alone be spoken to, I quickly resent him or her. This is quite the
case with current NAT solutions, with system administrators restricting
"their" networks, making communication difficult for everyone else (by holding
the only globally-routable address or "allocating" only a few; everyone else
_is_ second-class).

------
akira2501
This seems to take the long way around. I wonder why they didn't consider just
using the firewall to control network traffic; unless you really need your
applications to be completely unaware of IPv6, but so far, I've not
experienced that problem.

Also, requiring root privileges for launch is a bit of a burden in some use-
case scenarios.

~~~
Already__Taken
Not exactly a common use case or linux related but my Red Alert 2 game patched
for tcp/ip instead of IPX support it shipped with will only let you into LAN
game lobbies on ipv6, you can't see any games to join. ipv4 and it works like
a charm.

My point is just that I'm sure some very very weird stuff can happen with
software.

------
lgbr
Security aside, this is even useful for new deployments of IPv6. It seems a
lot of people have IPv6 networks that are less favorable for some traffic than
their IPv4 networks. Some are running their IPv6 through tunnels. As soon as
you enable IPv6 on your desktop, suddenly Firefox or Chromium will prefer IPv6
for any website with a AAAA record, which adds a ton of latency and reduces
bandwidth.

But theoretically, I could enable IPv6 for sshd (where I stand the most
benefit) and leave it off for wget and browsers with this.

~~~
dfc
At home my HE tunnel is snappier than the plain ipv4 from rr. The weird thing
is it is not just a case of user perception (mine). One of the upstream s1 ntp
boxes I sync with has ipv4 and ipv6 and is relatively close. I set one of my
s1s to sync with both the ipv4 and ipv6 addresses of the machine and the ipv4
clock displayed a lower delay and less jitter while the offsets were
seasonably close.

~~~
dfc
argh, for posterity's sake the last line should read:

"the _ipv6 peer entry_ displayed a lower delay and less jitter while the
offsets were reasonably close."

------
lifeisstillgood
On this subject, sort of, if I want to dump the commercial routers and replace
with eithe a Linux install on a commercial router or a x86 box that is not too
chunky / loud Where do I go for readme and instructions and community?

I can find some old Linux on linksys sites but not a lot recently

~~~
marios
If you with the commercial router route, checkout OpenWRT / DD-WRT / Tomato.
There are several forks, so depending on what features you want, and what
hardware you have, you may opt for a different version. If you go with an
existing x86/amd64, just install your favorite distro and start reading up on
iptables configuration and management. While iptables to be quite powerful in
terms of features, I find its' syntax is painful. There are several projets
aiming to simplify this, by generating rules from another, simpler, DSL but it
adds complexity. This is why I prefer PF, but that requires you to install
OpenBSD instead of Linux. If you know your way around UNIX, and are ready to
read up the FAQ and man pages, this shouldn't be a problem :).

------
nskelsey
This was interesting but got me thinking about a problem I encountered at
work. Is it possible to create two bridges out of one namespace so that two
separate programs can receive the same network traffic?

