PIONEERS IPv6 with IncrediblePBX 13-13

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
I started by first going with a minimal install of Centos 7 and using the scripts to install. However I first setup and validated that IPv6 was working. After the install, IPv6 does not work. I still have an address on the interface but I'm unable to ping the gateway address and the gateway is unable to ping the host.

I downloaded the Whole Enchilada .ova on Centos 6 and it does get a valid IPv6 address but again, can't ping the gateway or do traceroutes on IPv6.

ifconfig and ip a commands show that the address is attached to the interface.

I've also tried stopping the firewalls and fail2ban. It doesn't help.

Any suggestions?
 

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Some more digging, its ip6tables blocking everything. I did service ip6tables stop and traffic started working correctly. I'll work on building some ipv6 table rules that work effectively from the iptables rules.
 
  • Like
Reactions: wardmundy

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Working from https://www.cert.org/downloads/IPv6/ip6tables_rules.txt then adding some SIP NEW state packet ratelimiting until I can test fail2ban with IPv6:

Code:
cat /etc/sysconfig/ip6tables
# Generated by ip6tables-save v1.4.21 on Sat Jan  6 01:51:41 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:140]
-A INPUT -s ::1/128 -d ::1/128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j LOG --log-prefix "dropped ICMPv6"
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
###WhiteList IPS#############################
-A INPUT -s 2001:db8::/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 2001:db8::/64 -j ACCEPT
-A INPUT -s 2001:db8::/32 -j ACCEPT
##############################################
-A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipcli" --algo bm --to 65535 -j DROP
####SIP Ports
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A FORWARD -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Sat Jan  6 01:51:41 2018
To get the SIP rate limiting to work, I had to add a file

Code:
cat /etc/modprobe.d/xt_recent.conf
options xt_recent ip_list_tot=100 ip_pkt_list_tot=150
I still need to put in rules for http/https/ftp/sftp/t*f*t*p but I'm waiting until I can research fail2ban with ipv6 further.

I'm thinking that the main reason the stock rules aren't working is because there aren't any provisions for NEW state packets and ICMP which IPv6 needs certain ICMP packet types especially to function.
 
Last edited:

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Updated with a few services from the IPv4 rules

Code:
# Generated by ip6tables-save v1.4.21 on Sat Jan  6 03:49:00 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [293:26316]
-A INPUT -s ::1/128 -d ::1/128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j LOG --log-prefix "dropped ICMPv6"
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
#### Ports moved over from IPv4 iptables file
-A INPUT -p udp -m udp --sport 53 --dport 9999:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
#### Whitelist your Carrier IPs
-A INPUT -s 2001:db8::/36 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
#### WhiteList Your own IPs
-A INPUT -s 2001:db8::/64 -j ACCEPT
-A INPUT -s 2001:db8::/56 -j ACCEPT
#### Drop the low hanging fruit bad guys
-A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipcli" --algo bm --to 65535 -j DROP
#### SIP Ports rate limiting
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A FORWARD -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Sat Jan  6 03:49:00 2018
Public HTTP/HTTP/FTP/SFTP/SSH/t*f*t*p still isn't added due to coming up to speed with v6 and fail2ban.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,405
Reaction score
2,736
@jgeiger-itvocal: Be really, really careful opening up HTTP, HTTPS, FTP, SFTP, and SSH for public access. The entire Incredible PBX design assumes these services are only enabled by WhiteList entries to specific IP addresses. FreePBX historically has a very poor security track record once anonymous users can gain public access to the GUI with a browser.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,618
Reaction score
445
Location
South Florida
@jgeiger-itvocal: Be really, really careful opening up HTTP, HTTPS, FTP, SFTP, and SSH for public access. The entire Incredible PBX design assumes these services are only enabled by WhiteList entries to specific IP addresses. FreePBX historically has a very poor security track record once anonymous users can gain public access to the GUI with a browser.
Don't I know it ... hasn't happened in years to me, but when starting I've contributed over $1,000 to those bad guys. Whitelist has been the true salvation from that happening again.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,563
Messages
138,891
Members
14,672
Latest member
evilcocuyo