Changes

Jump to navigation Jump to search

Raspberry Pi IPv6 firewall tester installation (view source)

Revision as of 13:23, 17 September 2012

6,443 bytes added ,  13:23, 17 September 2012
no edit summary
Line 45: Line 45:  
   :: Retrieving packages from core...
 
   :: Retrieving packages from core...
   −
Then install LAMP by following the excellent [https://wiki.archlinux.org/index.php/LAMP Arch Linux LAMP guide].
+
 
 +
=== Simplistic IPv6 Firewall ===
 +
 
 +
As a general starting point please read the [https://wiki.archlinux.org/index.php/Iptables ArchLinux IPtables documentation].
 +
 
 +
You will need to install the iptables modules and scripts using the following command:
 +
 
 +
  # pacman -S iptables
 +
 
 +
The following IPv6 firewall is a very simplistic example, only suitable for use in a trusted environment, where SLAAC IPv6 address allocation is in place. '''This example is not suitable for an internet-facing Raspberry Pi where you need to include extra packet checking related to traffic sources, ICMPv6 types, arrival rates, etc.'''
 +
 
 +
  *filter
 +
  :INPUT DROP [0:0]
 +
  :FORWARD DROP [0:0]
 +
  :OUTPUT ACCEPT [0:0]
 +
  :LOGINPUTDROP - [0:0]
 +
  -A LOGINPUTDROP -m limit --limit 60/m --limit-burst 20 -j LOG --log-prefix "IPV6_INPUT_DROP" --log-ip-options --log-tcp-options --log-tcp-sequence
 +
  -A LOGINPUTDROP -j DROP
 +
  # Allow all loopback traffic
 +
  -A INPUT -i lo -j ACCEPT
 +
  # Drop all routing header traffic
 +
  -A INPUT -m rt --rt-type 0 -j LOGINPUTDROP
 +
  -A INPUT -m rt --rt-type 1 -j LOGINPUTDROP
 +
  -A INPUT -m rt --rt-type 2 -j LOGINPUTDROP
 +
  # Allow all traffic related to, or part of an established stream
 +
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
  # Allow ping of this host to aid debug
 +
  -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
 +
  # Allow Router advertisements so we can use SLAAC address allocation
 +
  -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
 +
  -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
 +
  # Allow neighbour adv/sol so we can talk to our neighbours (IPv6 ARP equivalent)
 +
  -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
 +
  -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
 +
  # Allow SSH and HTTP traffic
 +
  -A INPUT -p tcp --dport 22 -j ACCEPT
 +
  -A INPUT -p tcp --dport 80 -j ACCEPT
 +
  # Drop, but log, everything else
 +
  -A INPUT -j LOGINPUTDROP
 +
  COMMIT
 +
 
 +
Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:
 +
 
 +
  # ip6tables-restore < simple_firewall6.rules
 +
 
 +
You can view the active firewall rules, and determine the number of packets being processed by each rule using:
 +
 
 +
  # ip6tables -v -n -L
 +
 
 +
  Chain INPUT (policy DROP 0 packets, 0 bytes)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
      0    0 ACCEPT    all      lo    *      ::/0                ::/0
 +
      0    0 LOGINPUTDROP  all      *      *      ::/0                ::/0                rt type:0 segsleft:0
 +
      0    0 LOGINPUTDROP  all      *      *      ::/0                ::/0                rt type:1 segsleft:0
 +
      0    0 LOGINPUTDROP  all      *      *      ::/0                ::/0                rt type:2 segsleft:0
 +
      2  208 ACCEPT    all      *      *      ::/0                ::/0                state RELATED,ESTABLISHED
 +
      1  104 ACCEPT    icmpv6    *      *      ::/0                ::/0                ipv6-icmptype 128
 +
    116 19488 ACCEPT    icmpv6    *      *      ::/0                ::/0                ipv6-icmptype 134
 +
      0    0 ACCEPT    icmpv6    *      *      ::/0                ::/0                ipv6-icmptype 133
 +
      2  128 ACCEPT    icmpv6    *      *      ::/0                ::/0                ipv6-icmptype 136
 +
      2  144 ACCEPT    icmpv6    *      *      ::/0                ::/0                ipv6-icmptype 135
 +
      0    0 ACCEPT    tcp      *      *      ::/0                ::/0                tcp dpt:22
 +
      0    0 ACCEPT    tcp      *      *      ::/0                ::/0                tcp dpt:80
 +
      0    0 LOGINPUTDROP  all      *      *      ::/0                ::/0
 +
 
 +
  Chain FORWARD (policy DROP 0 packets, 0 bytes)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
 
 +
  Chain OUTPUT (policy ACCEPT 7 packets, 592 bytes)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
 
 +
  Chain LOGINPUTDROP (4 references)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
      0    0 LOG        all      *      *      ::/0                ::/0                limit: avg 1/sec burst 20 LOG flags 7 level 4 prefix "IPV6_INPUT_DROP"
 +
      0    0 DROP      all      *      *      ::/0                ::/0
 +
 
 +
 
 +
Once you're satisfied that the IPv6 firewall rules are performing correctly then they can be saved using the following command:
 +
 
 +
  # rc.d save ip6tables
 +
 
 +
Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further additions for an internet facing machine.
 +
 
 +
  *filter
 +
  :INPUT DROP [0:0]
 +
  :FORWARD DROP [0:0]
 +
  :OUTPUT ACCEPT [0:0]
 +
  # Allow all loopback traffic
 +
  -A INPUT -i lo -j ACCEPT
 +
  # Allow all traffic related to, or part of an established session
 +
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
  # Allow ping of this host to aid debug
 +
  -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 +
  # Allow SSH and HTTP traffic
 +
  -A INPUT -p tcp --dport 22 -j ACCEPT
 +
  -A INPUT -p tcp --dport 80 -j ACCEPT
 +
  # Drop all other TCP traffic
 +
  -A INPUT -p tcp -j DROP
 +
  # Allow DHCP related traffic
 +
  -A INPUT -p udp --dport 67:68 -j ACCEPT
 +
  # Drop everything else
 +
  -A INPUT -j DROP
 +
  COMMIT
 +
 
 +
This time import can be performed using:
 +
 
 +
  # iptables-restore < simple_firewall.rules
 +
 
 +
Once you're happy with your IPv4 firewall then you can save the active rules using the following command:
 +
 
 +
  # rc.d save iptables
 +
 
 +
Note that it is import to check full functionality still exists with your firewall in place - this particularly applies to address allocation (e.g. DHCP and SLAAC) procedures which may mean that a misconfigured firewall makes your Raspberry Pi unreachable. This is one reason why it is useful to develop the two rulesets (IPv4 and IPv6) separately, since if you misconfigure one firewall and lose connectivity then you can fall back to the working protocol version to correct your mistake. Once you're happy that both firewall sets are correct then you can insert ''both'' sets into '''/etc/rc.conf''' DAEMONS statement before the network module is called:
 +
 
 +
  DAEMONS=(!hwclock syslog-ng '''iptables''' '''ip6tables''' network openntpd @netfs @crond @sshd @mysqld @httpd)
 +
 
 +
You can check for dropped/logged packets (in the examples above logging is included for the IPv6 packet filter) using the following command:
 +
 
 +
  # tailf /var/log/iptables.log
 +
 
 +
 
 +
=== Installing LAMP ===
 +
 
 +
Install LAMP by following the excellent [https://wiki.archlinux.org/index.php/LAMP Arch Linux LAMP guide].
 
    
 
    
 
   # pacman -S apache php php-apache mysql
 
   # pacman -S apache php php-apache mysql
Line 262: Line 385:  
   AllowUsers plnusr456
 
   AllowUsers plnusr456
   −
=== Simplistic IPv6 Firewall ===
  −
  −
As a general starting point please read the [https://wiki.archlinux.org/index.php/Iptables ArchLinux IPtables documentation].
        −
 
   
Complete details coming soon ...
 
Complete details coming soon ...
    
Needs to include:
 
Needs to include:
   −
* firewall
   
* php landing page example
 
* php landing page example
  
Retrieved from ‘https://wiki.chappell-family.com/wiki/index.php?title=Special:MobileDiff/169

Navigation menu