We US-ians have been sheltered from the exhaustion of IPv4 addresses, but they have run out. IPv6 networks are up and running, so we have no excuses for not being IPv6 literate. Today our scintillating topic is iptables rules for IPv6, because, I am sad to report, our faithful IPv4 iptables rules do not magically work on IPv6 packets, and we must write new rules.
Before we dive in, you might want to review these previous articles for basic iptables concepts and scripts:
- Building Linux Firewalls With Good Old Iptables: Part 1,
- Building Linux Firewalls With Good Old Iptables: Part 2
- Building IPv6 Firewalls: IPv6 Security Myths
iptables should be the same on all Linuxes, as it is part of the kernel, but if your chosen Linux distribution does something weird, it’s not my fault. You should have
ip6tables, ip6tables-restore, ip6tables-save, ip6tables-apply, and their corresponding man pages. Some Linux distributions install with a ready-made firewall and their own tools for stopping and starting it. You must decide whether to disable your distro configuration, or modify it if it’s based on iptables.
ip6tables operates the same way as
iptables. It even supports NAT, network address translation, although I can’t think of a good use case for NAT in IPv6. NAT does masquerading and port forwarding, which has extended the lifespan of the inadequate IPv4 address pool by making a single public IPv4 address serve many hosts in private address spaces. NAT rewrites the private addresses to the single public address, and keeps track of which packets belong to which private addresses. This isn’t necessary in IPv6 because the pool of available addresses is so large we’ll never run out (at least not in my lifetime).