Do I also need to set up another iptables rules for ipv6 if I just used iptables?

iptables

Say I have a firewall setup on my linux server with iptables so that I only accept port 22 and port 80 traffic and I block access to all other ports.

Do these rules only work if the client machine is using a IPv4 address? So if an ipv6 address is used, the client can access ports I don't want them to? (ie ports other than port 22 and port 80)


iptables works for IPv4, but not IPv6. ip6tables is the equivalent IPv6 firewall, and is installed with iptables.

Ultimately, though, iptables is for IPv4 connections, ip6tables is for IPv6 connections. If you want your iptables rules to also apply to IPv6, you have to add them to ip6tables as well.

If you try and replicate your iptables ruleset in ip6tables, not all the rules that iptables can do will port over neatly to ip6tables, but most of them will.

Refer to the manpage for ip6tables if you want to make sure the commands that you use in your iptables will neatly port over.

If you'd like, we can help you create equivalent ip6tables rulesets to match your iptables rules, if you provide your firewall rules list (removing any information that could identify the system of coruse). Otherwise, we can only answer your general question.


As others already have told you, there are different firewall tables for IPv4 and IPv6. You could set up rules for IPv6 like for IPv4, but there are a great risk you'll mess it up if you don't know IPv6. Like, you can't drop ICMP for IPv6, as there are essential handshake parts there. Like telling the sender that the frames are to large, etc. Without those things, IPv6 could stop working for some users.

So it would strongly recommend the use of ufw or the package shorewall6 together with shorewall.

The iptables frontend ufw supports both IPv4 and IPv6 and works great on servers with one or two interfaces and now also do support simple routing (work as a router or gateway). It also support applications and comments, so please use them to make it simpler to go back and look at what you have done.

But if you route traffic, you probably need something better, like shorewall before manually add some rules for forwarding with iptables and ip6tables.

Don't forget that you can have more than one IPv6 addresses on your interfaces. Some are only link local, some are globally static and dynamic. So you should set up rules accordingly and the servers only listening on the right addresses.

And again, using iptable directly is like coding in assembler. It is fun, but if you don't know all relevant RFC:s, you should not do that, use some front end.


In 2021 you can create a file with rules that is used for both IPv4 and IPv6, and use the prefix -4 and -6 for rules that work differently with both protocols:

## Custom rules
## Based on https://gist.github.com/jirutka/3742890
*filter
#
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#
# Don't attempt to firewall internal traffic on the loopback device.
-A INPUT -i lo -j ACCEPT
-A INPUT -s localhost -j ACCEPT
#
# Continue connections that are already established or related to an established
# connection.
-4 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-6 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# and so on ...

Optionally, you can store that as a file, such as /etc/iptables/rules.combined and create symbol links for the rules.v4 and rules.v6:

cd /etc/iptables
sudo ln -s rules.combined rules.v4
sudo ln -s rules.combined rules.v6

Related

How to permanently edit the core_pattern file?
nVidia driver reset after each kernel update
Mounting OneDrive on Ubuntu Linux command line
How can I get snappy to list all available snap packages?
How do I get WebEx working with audio on Ubuntu?
How to play a webm video file?
How can I uninstall a locale via command-line?
How do I open "apt" links in Firefox (in Lubuntu)?
Ubuntu 18.10 Slack not working
Will there be an Ubuntu Serif font in the future?
How do I install the Cisco VPN client?
Is there an offline dictionary?