TIPS Whitelisting ipv6

pkntl

New Member
Joined
Jan 8, 2019
Messages
2
Reaction score
0
I just intalled IncrediblePBX 13.13 on Ubuntu 18.04 and I can't seem to figure out how to whitelist my smartphones ipv6 address.

The /root/add-ip script only seems to work with ipv4 addresses. I know that you're not supposed to mess around with the iptables unless you use add-ip. So I was wondering if there was a way to whitelist ipv6 addresses?

Any help would be appreciated.
Thanks!
 

pkntl

New Member
Joined
Jan 8, 2019
Messages
2
Reaction score
0
That's unfortunate. Is it possible then to modify the ip6tables directly without messing anything up?
 
Joined
Oct 26, 2013
Messages
60
Reaction score
22
Yes, you can, by using the command ip6tables, works the same way as iptables for IPv4. However, keep in mind that IPv6 doesn't use ARP, instead it uses ICMP, which normally is blocked in IPv4 firewalls. However, for IPv6, there are some ICMP packets that you should never drop. Your VoIP providers must also be using IPv6 addresses, or there is nothing to whitelist. As an example, I have included a basic set of rules for ip6tables below, where the 2001:xx:xx:xx is my own IPv6 subnet. So the rules below basically drop anything except established connections and my own subnet:

Code:
# Generated by ip6tables-save v1.4.7 on Sat Oct 21 18:17:10 2017
*mangle
:PREROUTING ACCEPT [233:33148]
:INPUT ACCEPT [233:33148]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [145:25708]
:POSTROUTING ACCEPT [145:25708]
COMMIT
# Completed on Sat Oct 21 18:17:10 2017
# Generated by ip6tables-save v1.4.7 on Sat Oct 21 18:17:10 2017
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:5669]
:LOG_DROP - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -p udp -m length --length 0:28 -j DROP
-A INPUT -s 2001:xx:xx:xx::/64 -j ACCEPT
-A INPUT -j LOG_DROP
-A LOG_DROP -j LOG --log-prefix "Firewall_blocked: "
-A LOG_DROP -j DROP
COMMIT
# Completed on Sat Oct 21 18:17:10 2017
 
Last edited by a moderator:
  • Like
Reactions: wardmundy

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,448
Messages
138,014
Members
14,613
Latest member
roshan2019