Ip6tables firewall

Reading Time: 4 minutes

Hello readers, this blog will teach you about ip6tables and its use with some basic use cases.we will also see that how ip6tables different from iptables.

what is iptables?

 Iptables is a Linux command line firewall that allows system administrators to manage incoming and outgoing traffic via a set of configurable table rules.

iptable vs ip6tables

Ip6tables is used to set up, maintain, and inspect the tables of IPv6 packet filter rules where as Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.however the syntax for both almost same.

Rules and targets in Ip6tables

The rules defines what to do with the packet if it matches any defined rule. If the rule is matched, it defines a target which can be another chain, or some special values mentioned below:

  • ACCEPT: It means that the packet is allowed to pass through the firewall.
  • DROP: It means that the packet is not allowed to pass through the firewall.
  • RETURN: It means to skip the current rule and jump back to the chain from which it was called.

There are 5 built-in tables in iptables namely filter, nat, mangle, raw, security. For this tutorial, we are going to work only with the default table of ip6tables which is filter.

The filter table

The filter table is used for normal filter of traffic based on rules defined by the user. This table is very helpful in carrying out normal day to day blocking and filtering of packets. The filter table has three chains:

 chain table
  • INPUT: This chain is used to control the incoming traffic/packets to the server.
  • FORWARD: This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.
  • OUTPUT: This chain is used to filter packets that are going out from the server.
  • PREROUTING –This chain is used for altering a packet as soon as it’s received.
  • POSTROUTING – This chain is used for altering packets as they are about to go out.

Firewall status

sudo iptables -L -n

To see the chains and rules for filter type the following command (-L for listing rules in chains; -n to print IP addresses and ports in numeric format):

$ sudo iptables -L -n 

This will bring out the following output which is basically an empty filter table:

[sudo] password for knoldus: 
]Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Modifying rules in Iptable

To add a particular rule inside any chain. We’ll cover the command first, and then some use cases for the same.

$ sudo ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT

This will bring out the following output which is basically an empty filter table:

$ sudo ip6tables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      ::/0                 ::/0        state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source     

Appending rules

Let’s add some more IPv6 rules to our firewall.

$ sudo ip6tables -A INPUT -p tcp --dport ssh -s 2001:0db8:85a3:0000:0000:8a2e:0370:7334 -j ACCEPT
$ sudo ip6tables -A INPUT -p tcp --dport 8080 -j ACCEPT

This will bring out the following output which is basically an empty filter table:

$ sudo ip6tables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      ::/0                 ::/0        state ESTABLISHED   
ACCEPT     tcp      ::/0                 ::/0            tcp dpt:8080
ACCEPT     tcp      2001:db8:85a3::8a2e:370:7334  ::/0     tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Below i have listed the some of flags. I’ll explain each of them and when they are required.

  • -A: Append flag is used to append a rule at the end of the table.
  • -I:This flag is used to append a rule at the start of the table.
  • -S: This flag is used to insert a rule at specified position in the table. If position is not specified, it will add the rule to top-most position.
  • -t: This flag is used to give the table name. By default, it is filter table.
  • -p: This flag is used to specify the protocol. It can be tcp, udp, icmp or all
  • -s: This flag is used to specify the source from where the packets are coming. Mainly used for to apply a rule on INPUT chain for any specific source ip-address.
  • -d: This flag is used to specify the destination where packets are to be delivered. Mainly used for to apply a rule on OUTPUT chain for any specific destination ip-address.
  • --sport & --dport: This flag is used to specify the source and destination port respectively if the rule is applied on tcp protocol.
  • -j: This flag is used to specify the target to be applied on the matched rule. It can be ACCEPT, REJECT, DROP etc.
  • -i: Input-interface – This flag is used to specify the name of the interface via which a packet will be received.
  • -j: Output-interface – This flag is used to specify the name of the interface via which a packet will be sent.

Deleting rules

1. To remove a particular rule by its line number.

sudo ip6tables -D INPUT 2

2. To remove all the rules of a particular chain

sudo ip6tables -F INPUT

3. To remove all the rules from the ip6tables

sudo ip6tables -F/--flush

Now, to get the output of any command with more information, you can run it in verbose mode as:

sudo ip6tables -L -v

Save your work

ip6tables rules will work instantly, however, if you restart your server all rules will be deleted. You need to save the rules so that they become active after a reboot.

There are several ways to do this; the easiest way is to use the iptables-persistent package. Type the following command to install the iptables-persistent package:

$ sudo apt-get install iptables-persistent

Press ‘Yes’ for both IPv4 and IPv6 rules when prompted. After installation, you will find two files in the /etc/iptables location name IPv4 and IPv6. You can open the file and make your changes here. You can also do a start|restart|reload|force-reload|save|flush from here, for example, if you want to save the current loaded iptables rules, type the following command.

sudo /etc/init.d/iptables-persistent save

This will save both IPv4 and IPv6 rules.

Conclusion

The incoming and outgoing data is transferred in the form of packets. Linux provide an interface to filter these packets. Here, Iptables comes into picture, which is a command line tool to set-up and configure the firewall. Iptables contain tables to filter packets. These tables contain multiple chains which are nothing, but the set of rules.