Martin Koníček

Blog

IPv6 in Raspbian securely with IPTables

Showcase image

When using a Raspberry Pi behind a NAT firewall, it is common to discover that local services are accessible to the world when IPv6 is allowed by the provider. To prevent this, I will discuss how to set up a firewall for IPv6 on the Raspberry Pi.

IP6Tables

I was surprised to learn that there are two types of iptables: the classic iptables for IPv4 and ip6tables for IPv6. In our discussion, we will cover how to configure IPv6 tables to persist even after rebooting the Raspberry Pi.

Service

First, you need to create an IPv6 tables service that will initiate before networking and load the IPv6 rules.

/etc/systemd/system/ip6tables.service

[Unit]
Description=Packet Filtering Framework
Before=network.target
DefaultDependencies=no

[Service]
Type=oneshot
ExecStart=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecReload=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecStop=/sbin/ip6tables -F
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Next, we will only allow ICMP ping requests and open connections.

/etc/ip6tables.ipv6.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [280:28349]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Don't forget to enable the service.

systemctl enable --now ip6tables

And that's all you need to do.

  • HyperV backup to AWS S3
    HyperV backup to AWS S3I have a Kubernetes cluster at home based on MicroK8S which would be very difficult to build again and is very difficult to backup because you need to take care of Kubernetes settings, Helm settings and also Persistent Volumes. I was looking for fast and reliable disaster recovery solution to backup whole MicroK8S machine running in HyperV and here is what I found out.
    • cs | en