Linux – Do I need seperate iptables rule for ipv6 address

firewalliptablesipv6linux

On my debian 5.0 server, I setup some iptables rules like below:

ACCEPT     tcp  --  eee.fff.ggg.hhh      aaa.bbb.ccc.ddd     tcp dpt:80
DROP       tcp  --  0.0.0.0/0            aaa.bbb.ccc.ddd     tcp dpt:80

aaa.bbb.ccc.ddd is my server's ip address, and eee.fff.ggg.hhh is the other server which is the only one allowed to access the port.
I noticed that there is inet6 addr setup on my server, and also netstat shows that apache2 is listening on tcp6 address:

tcp6       0      0 :::80                   :::*                    LISTEN

Do I need seperate iptables rule for ipv6 address? If so, how can I do so? I know nothing about ipv6. Thanks!
do I must do so? If I don't use ip6tables, will someone bypass the iptable rule and connect to my :80 port through ipv6 address?

Best Answer

iptables only filters IPv4 traffic. Rules setup in iptables will not touch ipv6 traffic and thus you should use ip6tables. At the very least you should set the tables rules to default drop. That way only traffic you have explicitly allowed will be available.

Related Solutions

Iptables – Flushing iptables on ubuntu

If the default policy for the chains is DENY then all connections will be cut since there's no longer any way to communicate via TCP/IP. Set the default policies to ACCEPT before flushing, and then back to DENY after re-establishing the rules.

Linux – if I put accept all 0.0.0.0/0 means this server is totally open for any ip

is this means allow all ip from all port?

Not necessarily. Add '-v' option(iptables -nv -L) to show all/out interface.

4060K  498M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Best Answer

Related Solutions

Iptables – Flushing iptables on ubuntu

Linux – if I put accept all 0.0.0.0/0 means this server is totally open for any ip

Related Topic