IPv6: Living in the future, etc, etc
Well, it’s 2010, and I’m finally living in The Future. I now have an ISP that is offering native IPv6, my colo provider. I switched over my irssi connections to make sure all IPv6-capable IRC networks are connecting via IPv6. (OFTC, Foonetic, Coldfront, Freenode – sadly, Slashnet is the only one without an IPv6 server.) I have also added AAAA records to many of my hosted domains, such as finnie.org, finnix.org, x11r5.com, velociraptors.info and hampr.com. Also, I can reasonably assume I am running the world’s only IPv6 TCPMUX server.
While I do not have native IPv6 at home, I am using Hurricane Electric’s Tunnel Broker service. I’m not going to go into details on how to set this up, but I do want to stress the importance of firewalling IPv6. In the IPv4 world, NAT is used as a security crutch. In “The Future”, when everything is IPv6, NAT will be irrelevant, but because of that, firewalling is that much more important. If you use a IPv6 tunneling service, be sure your internal LAN (which then becomes an external LAN) is properly firewalled.
In Linux, this requires the use of ip6tables. I personally use a simple setup, allowing outbound traffic, inbound ICMP, inbound SSH and a few select inbound services to individual machines. I’ve included my ip6tables config below.
# Set a default DROP policy. Note that this only affects IPv6 traffic, # it does not affect the regular iptables FORWARD policy. ip6tables -P FORWARD DROP # Allow any outbound traffic from your local LAN (2001:470:1f05:22e::/64). # Replace "hetunnel" with your tunnel/outbound interface (or leave it off, # though it helps prevent possible spoofing). ip6tables -A FORWARD -s 2001:470:1f05:22e::/64 -o hetunnel -j ACCEPT # Allow any established inbound or outbound traffic. ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow ICMP inbound. "ipv6-icmp" is required for ip6tables here. ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT # Allow SSH inbound to any host. ip6tables -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # Allow µTorrent inbound tcp/udp, to my Vista machine in this case. ip6tables -A FORWARD -p tcp -d 2001:470:1f05:22e:24c3:ff01:e72a:3487 \ --dport 30173 -m state --state NEW -j ACCEPT ip6tables -A FORWARD -p udp -d 2001:470:1f05:22e:24c3:ff01:e72a:3487 \ --dport 30173 -m state --state NEW -j ACCEPT