search

dimikot / vzfirewall

vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment
GNU Lesser General Public License v2.1
15 stars 6 forks source link

ipv6 #3

Open jnorell opened 10 years ago

jnorell commented 10 years ago

vzfirewall could use updating for ipv6 support

dimikot commented 10 years ago

?

jnorell commented 10 years ago

We need ip6tables rules setup. On one of our machines running vzfirewall:

# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

No ipv6 firewall rules, but if you check, you'll find (possibly many) processes listening on ipv6, eg.

# netstat -ntau | grep ^tcp6 | grep LISTEN | sort -u
tcp6       0      0 :::110                  :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::143                  :::*                    LISTEN     
tcp6       0      0 ::1:6010                :::*                    LISTEN     
tcp6       0      0 ::1:6011                :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::25                   :::*                    LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
tcp6       0      0 :::8009                 :::*                    LISTEN     
tcp6       0      0 :::9080                 :::*                    LISTEN     
tcp6       0      0 :::993                  :::*                    LISTEN     
tcp6       0      0 :::995                  :::*                    LISTEN

Our openvz hardware nodes are one firewall upgrade away from having live ipv6 connectivity, so this is something we'll need soon. Maybe in the short term we add a setting to block all IPv6 (just set chain policies to DROP)? Then keep that setting as a feature even in future versions when full ip6tables support is working.

jnorell commented 10 years ago

Implementation issues:

Address parsing, both the openvz container ip address (see https://openvz.org/IPv6) as well as addresses in firewall rules (resolve() function).

Custom rules will probably need a handle to specify if they're ipv4 or ipv6.

Need a second file to store ip6tables rules (eg. iptables-persistent uses /etc/iptables/rules.v6).

CoreTex commented 10 years ago

Please implement ipv6 support. If you have configured one container with an ipv6 address, the whole firewall doesn't work.

Default action for incoming packets - reject.

-A INPUT -j vzfw-deny -A FORWARD -j vzfw-deny COMMIT Testing new rules... iptables-restore v1.4.14: host/network 2a01:xxxx:xxxx:xxxx::217' not found Error occurred at line: 95 Tryiptables-restore -h' or 'iptables-restore --help' for more information. Test failed. Apply nothing.

jnorell commented 8 years ago

https://openvz.org/IPv6 says

IPv6 works best when veth devices are used to bridge VEs to their host.

With better veth support we can specify rules that match the CT interface, not specific IP addresses. Hopefully I'll have a pull request for that soon, then the remainder is just the config/syntax to specify rules for ipv4 vs. ipv6 vs. both, and then of course actually calling ip6tables.