CentOS 5.5, fully patched.
I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine.
Until I try to set up an ip6tables firewall.
eg if I try to view https://dnssec.surfnet.nl/?p=464 then the page never displays and the firewall shows kernel: IN=sit1 OUT=eth0 SRC=2001:0610:0001:40cd:0145:0100:0186:0033 DST=my.machine LEN=80 TC=0 HOPLIMIT=56 FLOWLBL=0 PROTO=TCP SPT=443 DPT=40367 WINDOW=5712 RES=0x00 ACK SYN URGP=0
I also see some DNS issues kernel: IN=sit1 OUT=eth0 SRC=2001:0620:0000:0009:0000:0000:0000:1103 DST=my.machine LEN=542 TC=0 HOPLIMIT=54 FLOWLBL=0 FRAG:1232 ID:0086942f PROTO=UDP (the source address here is ns1.zurich.surf.net).
I'm wondering if this is due to fragmentation, but I'm only guessing. The dnssec page refered to above indicates there may be a fragment re-assembly issue causing ip6tables problems.
Now I'm a newbie to IPv6 so I might be making a mistake. This is my firewall script.
#!/bin/bash IPT6="/sbin/ip6tables" PUBIF="sit1" LOCAL="eth0"
echo "Starting IPv6 firewall..." $IPT6 -F $IPT6 -X $IPT6 -t mangle -F $IPT6 -t mangle -X
#unlimited access to loopback $IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A OUTPUT -o lo -j ACCEPT
# Defaults $IPT6 -P INPUT DROP $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD DROP
both() { $IPT6 -A INPUT $@ $IPT6 -A FORWARD $@ }
# Allow full outgoing connection but no incomming stuff both -i $LOCAL -j ACCEPT both -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow incoming ICMP ping pong stuff both -p ipv6-icmp -j ACCEPT
# IP6 DNS both -i $PUBIF -p tcp --destination-port 53 -j ACCEPT both -i $PUBIF -p udp --destination-port 53 -j ACCEPT both -i $PUBIF -p tcp --source-port 53 -j ACCEPT both -i $PUBIF -p udp --source-port 53 -j ACCEPT
# IP6 from known good machine that I want to access internal network both -i $PUBIF -p tcp --source remote.machine -j ACCEPT both -i $PUBIF -p udp --source remote.machine -j ACCEPT
# log and drop everything else both -i $PUBIF -j LOG both -i $PUBIF -j DROP
It might be that I need to compile a generic kernel; apparently > 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.
Maybe CentOS 6 (*nudge nudge*) will work :-)
I'm not sure I want to leave my home network on IPv6 without a firewall; not sure I trust all the machines I have on local network to be safe from remote probes!
I wonder if anyone has any suggestions...
Thanks!
-------- Original Message -------- Subject: [CentOS] IPv6, HE tunnel and ip6tables problems From: Stephen Harris lists@spuddy.org To: CentOS mailing list centos@centos.org Date: Tuesday, January 11, 2011 1:09:25 PM
CentOS 5.5, fully patched.
I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine.
Until I try to set up an ip6tables firewall.
...
It might be that I need to compile a generic kernel; apparently > 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.
Maybe CentOS 6 (*nudge nudge*) will work :-)
I'm not sure I want to leave my home network on IPv6 without a firewall; not sure I trust all the machines I have on local network to be safe from remote probes!
I wonder if anyone has any suggestions...
Thanks!
I have been waiting for RHEL6/CentOS6 because, as I understand it, CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic would have to have a default ACCEPT policy or only specific applications allowed (based on source port) on a case by case basis. Perhaps this is the issue you are running into. However, I would think you'd receive an error attempting to set "--state ESTABLISHED,RELATED" within iptables if this were the case.
I would be delighted if someone could share their experiences with ip6 and CentOS5, especially from a security or service provider standpoint.
--Blake
On Tue, Jan 11, 2011 at 02:12:15PM -0600, Blake Hudson wrote:
From: Stephen Harris lists@spuddy.org
I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine.
Until I try to set up an ip6tables firewall.
I have been waiting for RHEL6/CentOS6 because, as I understand it, CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic would have to have a default ACCEPT policy or only specific applications allowed (based on source port) on a case by case basis. Perhaps this is the issue you are running into. However, I would think you'd receive an error attempting to set "--state ESTABLISHED,RELATED" within iptables if this were the case.
I think that got fixed in earlier versions.
# ip6tables -L | grep state ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
So it's clear the options are now availale.
And for a lot of things it works OK. That's why I think the problem may be fragmentation related, and the fragments aren't being properly reassembled for the ip6tables to pass them through.
On Tue, Jan 11, 2011 at 3:12 PM, Blake Hudson blake@ispn.net wrote:
I have been waiting for RHEL6/CentOS6 because, as I understand it, CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic would have to have a default ACCEPT policy or only specific applications allowed (based on source port) on a case by case basis. Perhaps this is the issue you are running into. However, I would think you'd receive an error attempting to set "--state ESTABLISHED,RELATED" within iptables if this were the case.
I would be delighted if someone could share their experiences with ip6 and CentOS5, especially from a security or service provider standpoint.
I ended up using Vyatta as my firewall since it fully supports IPv6. I played around with ip6tables in CentOS 5.5 and noticed that it seemed to be missing some of the stateful features like the recent module. Vyatta works flawlessly with IPv6 and the config syntax is easier than straight iptables. I'm assuming CentOS 6 will work great once it comes out.
Ryan
On 11/01/11 21:12, Blake Hudson wrote:
-------- Original Message -------- Subject: [CentOS] IPv6, HE tunnel and ip6tables problems From: Stephen Harris lists@spuddy.org To: CentOS mailing list centos@centos.org Date: Tuesday, January 11, 2011 1:09:25 PM
CentOS 5.5, fully patched.
I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine.
Until I try to set up an ip6tables firewall.
...
It might be that I need to compile a generic kernel; apparently > 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.
Maybe CentOS 6 (*nudge nudge*) will work :-)
I'm not sure I want to leave my home network on IPv6 without a firewall; not sure I trust all the machines I have on local network to be safe from remote probes!
I wonder if anyone has any suggestions...
Thanks!
I have been waiting for RHEL6/CentOS6 because, as I understand it, CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic would have to have a default ACCEPT policy or only specific applications allowed (based on source port) on a case by case basis. Perhaps this is the issue you are running into. However, I would think you'd receive an error attempting to set "--state ESTABLISHED,RELATED" within iptables if this were the case.
That matches what I've heard and experienced as well. I heard something that backporting the changes from the 2.6.20-something kernel down to 2.6.18 where statefull IPv6 filtering arrived, was too big or too risky to the stability. I don't know the details, just something I caught on IRC or so.
I would be delighted if someone could share their experiences with ip6 and CentOS5, especially from a security or service provider standpoint.
My experiences is that IPv6 in CentOS5 works very well, but is not optimal due to lack of stateful firewalling. However, I'm certain that is solved in CentOS6/RHEL6.
kind regards,
David Sommerseth
On Thu, Jan 13, 2011 at 7:58 AM, David Sommerseth dazo@users.sourceforge.net wrote:
My experiences is that IPv6 in CentOS5 works very well, but is not optimal due to lack of stateful firewalling. However, I'm certain that is solved in CentOS6/RHEL6.
I will second that I have had no problems using applications with IPv6 on CentOS 5.5. I currently have apache and samba3x bound to IPv6. I am also using named and dhcpv6. My only gripe is that dhcpv6 is not the current ISC daemon and doesn't support dynamic dns updates. For now I am using stateless auto configuration. In the future I want to hand out addresses from a pool so dns and reverse dns works.
Ryan
On Thu, Jan 13, 2011 at 08:24:33AM -0500, Ryan Wagoner wrote:
I will second that I have had no problems using applications with IPv6 on CentOS 5.5. I currently have apache and samba3x bound to IPv6. I am also using named and dhcpv6. My only gripe is that dhcpv6 is not the current ISC daemon and doesn't support dynamic dns updates. For now I am using stateless auto configuration. In the future I want to hand out addresses from a pool so dns and reverse dns works.
From what I've been able to tell, dhcp6 isn't well supported by all
operating systems; MacOS 10.5, for example, doesn't appear to natively support dhcp6 and won't pick up an ipv6 address. Which is annoying!
On Thu, Jan 13, 2011 at 01:58:41PM +0100, David Sommerseth wrote:
My experiences is that IPv6 in CentOS5 works very well, but is not optimal due to lack of stateful firewalling. However, I'm certain that is solved in CentOS6/RHEL6.
As it so happens, I managed to test out a RedHat 6 build this week; this seems to work properly and the website that was failing with a C5.5 firewall works with a RH6 machine.
So I await CentOS 6 eagerly ;-)
-
Blake Hudson -
David Sommerseth -
Ryan Wagoner -
Stephen Harris