iptables Script Update - Logging and IPv6 Issues
29 July, 2009
Recently, Bobby Krupczak, a reader of "Linux Firewalls"
pointed out to me that the iptables script used in the book does
not log traffic over the loopback interface, and that such traffic is also blocked
because of the INPUT and OUTPUT policies of "DROP" (instead of having a separate DROP rule). This
should be made more clear in the book. Quite right - all logging is excluded for traffic that
is sent or received over the loopback interface, and the iptables policy also
drops loopback traffic because no ACCEPT rule exists. The lack of a logging rule
is mostly because logging traffic generated locally and restricted to the loopback interface
is usually a distraction from logging more important (and potentially malicious)
traffic from remote networks. However, if a local process seems to have
connectivity issues, then making sure that loopback traffic flows unimpeded is
important. The iptables.sh script has been updated to ACCEPT all loopback
traffic handled by the INPUT and OUTPUT chains.
On another note, I would also like to mention that the script has been updated to block IPv6 traffic altogether. With more networks routing IPv6 these days, and with things like Federal mandates for IPv6 compliance on Federal networks, IPv6 adoption is... still slow. However, Linux has had the ability to speak IPv6 for a long time, and Nmap can scan for IPv6-enabled services. Hence it is important to apply iptables controls to IPv6 traffic via ip6tables. The consequences of not doing this could be a system compromise via a service that can communicate over IPv6, but that is normally firewalled off in the IPv4 world.
Here is an example of scanning ::1 on an Ubuntu-9.04 system with Nmap without any ip6tables controls applied. Note that three important services are available over IPv6:
[root@isengard ~]# nmap -6 -P0 ::1
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-28 21:10 EDT
Interesting ports on ip6-localhost (::1):
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
With the updated iptables script
deployed, Nmap no longer sees these services.
Have you checked the output of ip6tables -v -nL | grep DROP lately on your Linux system? If you are running a different operating system, are you confident that IPv6 traffic is being filtered appropriately?
[root@isengard ~]# ip6tables -v -nL | grep DROP
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
