Martin Koníček

Blog

IPv6 in Raspbian securely with IPTables

Showcase image

When using a Raspberry Pi behind a NAT firewall, it is common to discover that local services are accessible to the world when IPv6 is allowed by the provider. To prevent this, I will discuss how to set up a firewall for IPv6 on the Raspberry Pi.

IP6Tables

I was surprised to learn that there are two types of iptables: the classic iptables for IPv4 and ip6tables for IPv6. In our discussion, we will cover how to configure IPv6 tables to persist even after rebooting the Raspberry Pi.

Service

First, you need to create an IPv6 tables service that will initiate before networking and load the IPv6 rules.

/etc/systemd/system/ip6tables.service

[Unit]
Description=Packet Filtering Framework
Before=network.target
DefaultDependencies=no

[Service]
Type=oneshot
ExecStart=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecReload=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecStop=/sbin/ip6tables -F
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Next, we will only allow ICMP ping requests and open connections.

/etc/ip6tables.ipv6.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [280:28349]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Don't forget to enable the service.

systemctl enable --now ip6tables

And that's all you need to do.

  • SSH in Visual Studio Code with KeePass
    SSH in Visual Studio Code with KeePassRemote SSH extension in Visual Studio Code allows you directly edit files on Linux machine and access Linux console from your Windows workstation. For best comfort when you are accessing Remote SSH server from Visual Studio Code use KeePasswith KeeAgent which will works as SSH agent.
  • cs | en