[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Mar 11 04:53:02 CET 2014


Jason,

Try "ip6tables -nvL FORWARD", that will give you more useful data.  The default policy is DROP.

Personally using OpenVPN I add tun0 (or tun+) to INT_IF (append the IPv4 OpenVPN net to INTERNAL_NET and NAT_INTERNAL_NET) 

I then use IF_TRUSTS to 'trust' the OpenVPN net with any other LAN INT_IF interfaces.

Lonnie


On Mar 10, 2014, at 10:27 PM, Jason Stahls wrote:

> I've tried putting tun+ in LAN_IF as well as DMZ_IF, along with all the subnets in their associated _NET.  I do have IPV6_SUPPORT=1 and 2.0.1d.  I'm honestly no good at iptables rules but a ip6tables -L -n to me looks like it's opened up the forward chain
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> BASE_FORWARD_CHAIN  all      ::/0                 ::/0
> TCPMSS     tcp      ::/0                 ::/0                tcp flags:0x06/0x02 TCPMSS clamp to PMTU
> FORWARD_CHAIN  all      ::/0                 ::/0
> HOST_BLOCK_SRC  all      ::/0                 ::/0
> HOST_BLOCK_DST  all      ::/0                 ::/0
> LINK_LOCAL_DROP  all      fe80::/10            ::/0
> LINK_LOCAL_DROP  all      ::/0                 fe80::/10
> ACCEPT     all      ::/0                 ::/0
> ACCEPT     all      ::/0                 ::/0
> EXT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
> EXT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
> INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
> INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
> INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
> INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
> SPOOF_CHK  all      ::/0                 ::/0
> ACCEPT     all      ::/0                 ::/0
> LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
> ACCEPT     all      ::/0                 ::/0
> LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
> POST_FORWARD_CHAIN  all      ::/0                 ::/0
> LOG        all      ::/0                 ::/0 limit: avg 1/min burst 3 LOG flags 0 level 6 prefix `AIF:Dropped FORWARD packet: '
> DROP       all      ::/0                 ::/0
> 
> Thanks,
> 
> Jason
> 
> On 3/10/2014 11:21 PM, Lonnie Abelbeck wrote:
>> Hi Jason,
>> 
>> By default all IPv6 should not be forwarded.
>> 
>> How are you allowing OpenVPN traffic via say "tun0" ?
>> 
>> I assume you have set IPV6_SUPPORT=1
>> 
>> Are you running AIF v2.0.1 of some release ?
>> 
>> Lonnie
>> 
>> 
>> On Mar 10, 2014, at 10:02 PM, Jason Stahls wrote:
>> 
>>> I've got a server with native v6 and a /48, it's running a OpenVPN server for various sites.  I've given each site a /64 and have IPv6 over the OpenVPN tunnels working great, but over v6 my hosts are completely open.  I've tried putting them in the LAN without NAT, and in the DMZ, both cases the remote subnets are completely open to the Internet.  Is there a default accept policy I'm missing? :)
>>> 
>>> Thanks,
>>> 
>>> Jason Stahls
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list