TIPS Whitelisting ipv6

pkntl

New Member
Joined
Jan 8, 2019
Messages
2
Reaction score
0
I just intalled IncrediblePBX 13.13 on Ubuntu 18.04 and I can't seem to figure out how to whitelist my smartphones ipv6 address.

The /root/add-ip script only seems to work with ipv4 addresses. I know that you're not supposed to mess around with the iptables unless you use add-ip. So I was wondering if there was a way to whitelist ipv6 addresses?

Any help would be appreciated.
Thanks!
 

pkntl

New Member
Joined
Jan 8, 2019
Messages
2
Reaction score
0
That's unfortunate. Is it possible then to modify the ip6tables directly without messing anything up?
 
Joined
Oct 26, 2013
Messages
69
Reaction score
23
Yes, you can, by using the command ip6tables, works the same way as iptables for IPv4. However, keep in mind that IPv6 doesn't use ARP, instead it uses ICMP, which normally is blocked in IPv4 firewalls. However, for IPv6, there are some ICMP packets that you should never drop. Your VoIP providers must also be using IPv6 addresses, or there is nothing to whitelist. As an example, I have included a basic set of rules for ip6tables below, where the 2001:xx:xx:xx is my own IPv6 subnet. So the rules below basically drop anything except established connections and my own subnet:

Code:
# Generated by ip6tables-save v1.4.7 on Sat Oct 21 18:17:10 2017
*mangle
:PREROUTING ACCEPT [233:33148]
:INPUT ACCEPT [233:33148]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [145:25708]
:POSTROUTING ACCEPT [145:25708]
COMMIT
# Completed on Sat Oct 21 18:17:10 2017
# Generated by ip6tables-save v1.4.7 on Sat Oct 21 18:17:10 2017
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:5669]
:LOG_DROP - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -p udp -m length --length 0:28 -j DROP
-A INPUT -s 2001:xx:xx:xx::/64 -j ACCEPT
-A INPUT -j LOG_DROP
-A LOG_DROP -j LOG --log-prefix "Firewall_blocked: "
-A LOG_DROP -j DROP
COMMIT
# Completed on Sat Oct 21 18:17:10 2017
 
Last edited by a moderator:

Members online

Forum statistics

Threads
25,782
Messages
167,512
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top