Thursday, August 6, 2015

Differences between iptables and ip6tables processing of packets

I've reviewed a variety of netfilter, iptables, and ip6tables resources. I've searched Google, including StackExchange websites for information, and, I can't find easy or clear links to information regarding differences between how iptables and ip6tables process packets.



Here are my standard iptables rules:



* filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT


Similar rules are also in place for both incoming & outgoing HTTP, and DNS resolution, as well as basic ICMP (v4 0, 3, 8, 11, 12).




When I use ip6tables to put the same rules in place, my server response to both HTTP, SSH and ICMP connections with "host is down."



I can set the preliminary rules to:



-P INPUT ACCEPT
-P OUTPUT ACCEPT


And this opens the server back up again. But it doesn't filter packets (arbitrary rules for all packets, less FORWARD).




I've tried appending:



-A INPUT -i eth0 -j DROP


But, again, this starts causing issues.



Double and triple checked with telnet among other packet verification (server logs just simply drop connections if DROP is used, same for REJECT).



Alternatively, I've also seen rule-sets which are simple ACCEPT (all) with dport and sport ranges excepting the required rules.




In a nutshell, I'm used to the typical iptables (ipv4) rules which DROP everything, except the following rules.



Ideally, I'm looking for links or information which provide in-depth, detailed technical information about differences between how iptables and ip6tables process (and drop or accept) packets differently.



It would seem ip6tables will DROP everything arbitrarily if these are the basic proto rules, BUT, where not accepted in the first set of rules, the latter rule I've tried to DROP all interface INPUT continues to cause issues (given the initial set of rules is to ACCEPT, but have nowhere to go).



FWIW: This is Debian Jessie (v8) on a dist-upgrade from Debian Wheezy (v7) on a DigitalOcean droplet. Everything else runs kosher except for the ip6tables rules (server becomes unavailable to ipv6 resources).



Original posted on StackOverflow, deleted, copy/pasted here on ServerFault (suggested more relevant).

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...