Martin Koníček

Blog

IPv6 in Raspbian securely with IPTables

Showcase image

When using a Raspberry Pi behind a NAT firewall, it is common to discover that local services are accessible to the world when IPv6 is allowed by the provider. To prevent this, I will discuss how to set up a firewall for IPv6 on the Raspberry Pi.

IP6Tables

I was surprised to learn that there are two types of iptables: the classic iptables for IPv4 and ip6tables for IPv6. In our discussion, we will cover how to configure IPv6 tables to persist even after rebooting the Raspberry Pi.

Service

First, you need to create an IPv6 tables service that will initiate before networking and load the IPv6 rules.

/etc/systemd/system/ip6tables.service

[Unit]
Description=Packet Filtering Framework
Before=network.target
DefaultDependencies=no

[Service]
Type=oneshot
ExecStart=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecReload=sh -c '/sbin/ip6tables-restore < /etc/ip6tables.ipv6.rules'
ExecStop=/sbin/ip6tables -F
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Next, we will only allow ICMP ping requests and open connections.

/etc/ip6tables.ipv6.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [280:28349]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Don't forget to enable the service.

systemctl enable --now ip6tables

And that's all you need to do.

  • Self Hosted GitHub Action Runner on Kubernetes
    Self Hosted GitHub Action Runner on KubernetesI recently set up a self-hosted GitHub Action Runner on Kubernetes, enhancing my CI/CD pipeline with a private Docker repository and microk8s cluster. This setup, accessible via DNS with ingress, offered unparalleled control and security, thanks to the integration of a TLS-secured private Docker registry and my own Certificate Authority.
    • cs | en