Ip6tables Firewall Recommended Configuration on Redhat or CentOS Linux

Ip6tables is a firewall utility that uses policy chains to allow or block traffic.  It can configure IPv6 tables, chains or rules provided by the Linux kernel firewall.

Some key things to consider:

1. Installation: (When installing iptables package, it will include the ip6tables)

dnf install iptables

2. Verify if iptables is enabled:

systemctl status iptables
ip6tables -L -n -v

3. Flush iptables rules

ip6tables -F

4. When working remotely, it is recommended to allow incoming SSH or port 22 connections

ip6tables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

5. Take note that there’s a chance of conflict if running both iptables,ufw and nftables, so it is recommended to remove it.

systemctl disable firewalld
systemctl –now mask firewalld
systemctl –now mask nftables
ufw disable

6. Loopback interface is allowed to accept traffic. Other interfaces should be configured to deny traffic to the loopback network:

IPv6: ::1/128

Apply the rules:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

7. Outbound connections are allowed for all interfaces. Configure also to allow established connections.

ip6tables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state –state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state –state ESTABLISHED -j ACCEPT

8. Allow only open ports that are needed

There are few ways to verify open or listening ports, e.g. using “ss” command

Sample Output:

root@freelinux:~# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5355 *:*
udp UNCONN 0 0 *:*
udp UNCONN 0 0 *:*
tcp LISTEN 0 80 *:*
tcp LISTEN 0 128 *:5355 *:*
tcp LISTEN 0 128 *:22 *:*

Execute this command to see the firewall rules

ip6tables -L INPUT -v -n

Syntax to allow open ports:

ip6tables -A INPUT -p <protocol> –dport <port> -m state –state NEW -j ACCEPT

9. Default deny should be configured

The concept is to allow ports or hosts then last rule is to default deny to drop all the traffic.

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

About the author

Free Linux

View all posts

Leave a Reply