PIONEERS IPv6 with IncrediblePBX 13-13

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
I started by first going with a minimal install of Centos 7 and using the scripts to install. However I first setup and validated that IPv6 was working. After the install, IPv6 does not work. I still have an address on the interface but I'm unable to ping the gateway address and the gateway is unable to ping the host.

I downloaded the Whole Enchilada .ova on Centos 6 and it does get a valid IPv6 address but again, can't ping the gateway or do traceroutes on IPv6.

ifconfig and ip a commands show that the address is attached to the interface.

I've also tried stopping the firewalls and fail2ban. It doesn't help.

Any suggestions?
 

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Some more digging, its ip6tables blocking everything. I did service ip6tables stop and traffic started working correctly. I'll work on building some ipv6 table rules that work effectively from the iptables rules.
 

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Working from https://www.cert.org/downloads/IPv6/ip6tables_rules.txt then adding some SIP NEW state packet ratelimiting until I can test fail2ban with IPv6:

Code:
cat /etc/sysconfig/ip6tables
# Generated by ip6tables-save v1.4.21 on Sat Jan  6 01:51:41 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:140]
-A INPUT -s ::1/128 -d ::1/128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j LOG --log-prefix "dropped ICMPv6"
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
###WhiteList IPS#############################
-A INPUT -s 2001:db8::/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 2001:db8::/64 -j ACCEPT
-A INPUT -s 2001:db8::/32 -j ACCEPT
##############################################
-A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipcli" --algo bm --to 65535 -j DROP
####SIP Ports
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A FORWARD -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Sat Jan  6 01:51:41 2018

To get the SIP rate limiting to work, I had to add a file

Code:
cat /etc/modprobe.d/xt_recent.conf
options xt_recent ip_list_tot=100 ip_pkt_list_tot=150

I still need to put in rules for http/https/ftp/sftp/t*f*t*p but I'm waiting until I can research fail2ban with ipv6 further.

I'm thinking that the main reason the stock rules aren't working is because there aren't any provisions for NEW state packets and ICMP which IPv6 needs certain ICMP packet types especially to function.
 
Last edited:

jgeiger-itvocal

New Member
Joined
Apr 27, 2017
Messages
6
Reaction score
1
Updated with a few services from the IPv4 rules

Code:
# Generated by ip6tables-save v1.4.21 on Sat Jan  6 03:49:00 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [293:26316]
-A INPUT -s ::1/128 -d ::1/128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j LOG --log-prefix "dropped ICMPv6"
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
#### Ports moved over from IPv4 iptables file
-A INPUT -p udp -m udp --sport 53 --dport 9999:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
#### Whitelist your Carrier IPs
-A INPUT -s 2001:db8::/36 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
#### WhiteList Your own IPs
-A INPUT -s 2001:db8::/64 -j ACCEPT
-A INPUT -s 2001:db8::/56 -j ACCEPT
#### Drop the low hanging fruit bad guys
-A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipcli" --algo bm --to 65535 -j DROP
#### SIP Ports rate limiting
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --set --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name DEFAULT --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A FORWARD -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Sat Jan  6 03:49:00 2018

Public HTTP/HTTP/FTP/SFTP/SSH/t*f*t*p still isn't added due to coming up to speed with v6 and fail2ban.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@jgeiger-itvocal: Be really, really careful opening up HTTP, HTTPS, FTP, SFTP, and SSH for public access. The entire Incredible PBX design assumes these services are only enabled by WhiteList entries to specific IP addresses. FreePBX historically has a very poor security track record once anonymous users can gain public access to the GUI with a browser.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
@jgeiger-itvocal: Be really, really careful opening up HTTP, HTTPS, FTP, SFTP, and SSH for public access. The entire Incredible PBX design assumes these services are only enabled by WhiteList entries to specific IP addresses. FreePBX historically has a very poor security track record once anonymous users can gain public access to the GUI with a browser.

Don't I know it ... hasn't happened in years to me, but when starting I've contributed over $1,000 to those bad guys. Whitelist has been the true salvation from that happening again.
 
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top