Modified Files:

Linux+IPv6-HOWTO.lyx : 0.26.2: some extensions (ND, firewalling)
This commit is contained in:
pbldp 2002-07-15 18:23:14 +00:00
parent 13c1150643
commit a94313a420
1 changed files with 233 additions and 44 deletions

View File

@ -51,7 +51,7 @@ on>
<revhistory>
\layout SGML
<revision> <revnumber>Release 0.26.1</revnumber> <date>2002-07-13</date> <authorin
<revision> <revnumber>Release 0.26.2</revnumber> <date>2002-07-15</date> <authorin
itials>PB</authorinitials> <revremark>See
\begin_inset LatexCommand \ref[revision history]{revision-history}
@ -3685,6 +3685,147 @@ Note: take care about default routing without address filtering on edge
\layout Chapter
\begin_inset LatexCommand \label{chapter-Neighbor-Discovery}
\end_inset
Neighbor Discovery
\layout Standard
Neighbor discovery was the IPv6 successor for the ARP (Address Resolution
Protocol) in IPv4.
You can retrieve information about the current neighbors, in addition you
can set and delete entries.
\layout Standard
Neighbor detection
\layout Standard
The kernel keeps tracking of successful neighbor detection (like ARP in
IPv4).
You can dig into the learnt table using
\begin_inset Quotes sld
\end_inset
ip
\begin_inset Quotes srd
\end_inset
.
\layout Section
Displaying neighbors using
\begin_inset Quotes sld
\end_inset
ip
\begin_inset Quotes srd
\end_inset
\layout Standard
With following command you can display the learnt or configured IPv6 neighbors
\layout Code
# ip -6 neigh show [dev <device>]
\layout Standard
The following example shows one neighbor, which is a reachable router
\layout Code
# ip -6 neigh show
\layout Code
fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable
\layout Section
Manipulating neighbors table using
\begin_inset Quotes sld
\end_inset
ip
\begin_inset Quotes srd
\end_inset
\layout Subsection
Manually add an entry
\layout Standard
With following command you are able to manually add an entry
\layout Code
# ip -6 neigh add <IPv6 address> lladdr <link-layer address> dev <device>
\layout Standard
Example:
\layout Code
# ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0
\layout Subsection
Manually delete an entry
\layout Standard
Like adding also an entry can be deleted:
\layout Code
# ip -6 neigh del <IPv6 address> lladdr <link-layer address> dev <device>
\layout Standard
Example:
\layout Code
# ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0
\layout Subsection
More advanced settings
\layout Standard
The tool
\begin_inset Quotes sld
\end_inset
ip
\begin_inset Quotes srd
\end_inset
is less documentated, but very strong.
See online
\begin_inset Quotes sld
\end_inset
help
\begin_inset Quotes srd
\end_inset
for more:
\layout Code
# ip -6 neigh help
\layout Code
Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR
]
\layout Code
[ nud { permanent | noarp | stale | reachable } ]
\layout Code
| proxy ADDR } [ dev DEV ]
\layout Code
ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ]
\layout Standard
Looks like some options are only for IPv4...if you can contribute information
about flags and advanced usage, pls.
send.
\layout Chapter
\begin_inset LatexCommand \label{chapter-configuring-ipv6-in-ipv4-tunnels}
\end_inset
@ -5163,6 +5304,8 @@ icmp_*
\layout Standard
This control settings are not used by IPv6.
To enable ICMPv6 rate limting (which is very recommended because of the
capability of ICMPv6 storms) netfilter-v6 rules must be used.
\layout Subsection
others
@ -6243,7 +6386,7 @@ For the moment, see
\end_inset
Firewalling and security issues
Firewalling
\layout Standard
IPv6 firewalling is important, especially if using IPv6 on internal networks
@ -6263,9 +6406,6 @@ IPv6 firewalling is important, especially if using IPv6 on internal networks
can reach all internal IPv6 enabled nodes.
\layout Section
Firewalling
\layout Subsection
\begin_inset LatexCommand \label{firewalling-netfilter6}
@ -6289,7 +6429,7 @@ Audit your ruleset after installation, see
\end_inset
for more.
\layout Subsubsection
\layout Subsection
More information
\layout Itemize
@ -6324,10 +6464,10 @@ More information
\end_inset
\layout Subsection
\layout Section
Preparation
\layout Subsubsection
\layout Subsection
Get sources
\layout Standard
@ -6362,7 +6502,7 @@ Source RPM for rebuild of binary (for RedHat systems):
\end_inset
\layout Subsubsection
\layout Subsection
Extract sources
\layout Standard
@ -6386,7 +6526,7 @@ Unpack iptables sources
\layout Code
# tar z|jxf iptables-version.tar.gz|bz2
\layout Subsubsection
\layout Subsection
Apply latest iptables/IPv6-related patches to kernel source
\layout Standard
@ -6441,7 +6581,7 @@ Check IPv6 extensions
\layout Code
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
\layout Subsubsection
\layout Subsection
Configure, build and install new kernel
\layout Standard
@ -6528,7 +6668,7 @@ Configure other related to your system, too
Compilation and installing: see the kernel section here and other HOWTOs
\layout Subsubsection
\layout Subsection
Rebuild and install binaries of iptables
\layout Standard
@ -6584,10 +6724,10 @@ Perhaps it's necessary to create a softlink for iptables libraries where
\layout Code
# ln -s /lib/iptables/ /usr/lib/iptables
\layout Subsection
\layout Section
Usage
\layout Subsubsection
\layout Subsection
Check for support
\layout Standard
@ -6605,10 +6745,10 @@ Check for capability
\layout Code
¬ 'ip6tables' firewalling (IPv6)!"
\layout Subsubsection
\layout Subsection
Learn how to use ip6tables
\layout Standard
\layout Subsubsection
List all IPv6 netfilter entries
\layout Itemize
@ -6623,13 +6763,13 @@ Extended
\layout Code
# ip6tables -n -v --line-numbers -L
\layout Standard
\layout Subsubsection
List specified filter
\layout Code
# ip6tables -n -v --line-numbers -L INPUT
\layout Standard
\layout Subsubsection
Insert a log rule at the input filter with options
\layout Code
@ -6638,22 +6778,25 @@ Insert a log rule at the input filter with options
\layout Code
¬ --log-level 7
\layout Standard
\layout Subsubsection
Insert a drop rule at the input filter
\layout Code
# ip6tables --table filter --append INPUT -j DROP
\layout Standard
\layout Subsubsection
Delete a rule by number
\layout Code
# ip6tables --table filter --delete INPUT 1
\layout Subsubsection
Allow ICMPv6
\layout Standard
Allow ICMPv6, at the moment, with unpatched kernel 2.4.5 and iptables-1.2.2
no type can be specified
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can
be specified
\layout Itemize
Accept incoming ICMPv6 through tunnels
@ -6668,14 +6811,38 @@ Allow outgoing ICMPv6 through tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
\layout Standard
Allow incoming SSH, here an example is shown for a ruleset which allows
incoming SSH connection from a specified IPv6 address
\layout Itemize
Allow incoming SSH from 3ffe:400:100::1/128
Newer kernels allow specifying of ICMPv6 types:
\layout Code
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:400:100::1/128 --sport 512:65535
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
\layout Subsubsection
Rate-limiting
\layout Standard
Because it can happen (author already saw it to times) that an ICMPv6 storm
will raise up, you should use available rate limiting for at least ICMPv6
ruleset.
In addition logging rules should also get rate limiting to prevent DoS
attacks against syslog and storage of log file partition.
An example for a rate limited ICMPv6 looks like:
\layout Code
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT
--match limit --limit 30/minute
\layout Subsubsection
Allow incoming SSH
\layout Standard
Here an example is shown for a ruleset which allows incoming SSH connection
from a specified IPv6 address
\layout Itemize
Allow incoming SSH from 3ffe:ffff:100::1/128
\layout Code
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
\layout Code
¬ --dport 22 -j ACCEPT
@ -6685,15 +6852,21 @@ Allow response packets (at the moment IPv6 connection tracking isn't in
mainstream netfilter6 implemented)
\layout Code
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:400:100::1/128 --dport 512:65535
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
\layout Code
¬ --sport 22 ! --syn j ACCEPT
\layout Subsubsection
Enable tunneled IPv6-in-IPv4
\layout Standard
Enable tunneled IPv6-in-IPv4, to accept tunneled IPv6-in-IPv4 packets, you
have to insert rules in your IPv4 firewall setup relating to such packets,
for example
Tto accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your
\series bold
IPv4 firewall setup
\series default
relating to such packets, for example
\layout Itemize
Accept incoming IPv6-in-IPv4 on interface ppp0
@ -6723,11 +6896,17 @@ Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4
\layout Code
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
\layout Subsubsection
Protection against incoming TCP connection requests
\layout Standard
Protect against incoming TCP connection requests (VERY RECOMMENDED!), for
security issues you should really insert a rule which blocks incoming TCP
connection requests.
\series bold
VERY RECOMMENDED!
\series default
For security issues you should really insert a rule which blocks incoming
TCP connection requests.
Adapt "-i" option, if other interface names are in use!
\layout Itemize
@ -6747,11 +6926,17 @@ Perhaps the rules have to be placed below others, but that is work you have
to think about it.
Best way is to create a script and execute rules in a specified way.
\layout Subsubsection
Protection against incoming UDP connection requests
\layout Standard
Protect against incoming UDP connection requests (ALSO RECOMMENDED!), like
mentioned on my firewall information it's possible to control the ports
on outgoing UDP/TCP sessions.
\series bold
ALSO RECOMMENDED!
\series default
Like mentioned on my firewall information it's possible to control the
ports on outgoing UDP/TCP sessions.
So if all of your local IPv6 systems are use local ports e.g.
from 32768 to 60999 you are able to filter UDP connections also (until
connection tracking works) like:
@ -6769,7 +6954,7 @@ Block incoming UDP packets which cannot be responses of forwarded requests
\layout Code
ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
\layout Subsubsection
\layout Subsection
Demonstration example
\layout Standard
@ -6998,13 +7183,13 @@ Chain extOUT (1 references)
0 0 ACCEPT tcp * * ::/0
\layout Code
¬ 3ffe:400:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
¬ 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
\layout Code
0 0 ACCEPT tcp * * ::/0
\layout Code
¬ 3ffe:400:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
¬ 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
\layout Code
0 0 ACCEPT icmpv6 * * ::/0 ::/0
@ -7142,10 +7327,10 @@ Chain intOUT (1 references)
0 0 DROP all * * ::/0 ::/0
\layout Section
\layout Chapter
Security
\layout Subsection
\layout Section
Node security
\layout Standard
@ -7155,7 +7340,7 @@ It's very recommend to apply all available patches and disable all not necessary
\layout Standard
More to be filled...
\layout Subsection
\layout Section
Access limitations
\layout Standard
@ -10375,6 +10560,10 @@ Versions x.y.z are work-in-progress and only published as LyX file on CVS.
Releases 0.x
\layout Description
0.26.2 2002-07-15/PB: Add information neighbor discovery, split of firewalling
(got some updates) and security into extra chapters
\layout Description
0.26.1 2002-07-13/PB: Update nmap/IPv6 information
\layout Description