On our Ubuntu server, ipv4 & ipv6 are enabled. We have taken these steps so far.
- Enabled iptables & ip6tables
- Copied the rules exactly from our iptables to ip6tables
Do we need to make additional adjustments to ip6tables?
Assuming our server is hardened for ipv4, do we need to make additional changes specific to ipv6?
Yes, there are several issues to be aware of.
You need to be aware of the RH0 security issue. While it’s no longer necessary to use explicit firewall rules to mitigate this, as Linux kernels since about 18.104.22.168 (in 2007!) always ignore this traffic, you may run into older systems where you need to apply the firewall rules.
If you have certain traffic limited to specific hosts or subnets, you will have to write corresponding IPv6 firewall rules corresponding to the IPv6 addresses of those hosts or subnets.
You should not block ICMP on IPv6; since it is much more heavily reliant on ICMP, connections are likely to fail in mysterious ways if you do any sort of ICMP blocking.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.