[{ALLOW view All}]
[{ALLOW edit Markus}]
[{ALLOW view All}]
[{ALLOW edit Markus}]
[{TableOfContents }]
!! Scope
Raspberry is exposed to the internet for my backup solution. I want to enable ipv6 access only and enable access only from my home computer. \\
Steps:
# register your home computer (Windows) at a dyndns service to provide the current ipv6, see [dynv6.com|https://dynv6.com]
# Windows: create windows batch script to update dynv6
# Windows schedule script to run each time the PC is booted, see "Aufgabenplanung" (task scheduler)
# Raspberry: create and set iptables ruleset
# Raspberry: use python script to query the current ipv6 from dynv6 (Windows) and replace in iptables ruleset
# Raspberry: schedule the ipv6 update in firewall (ip6tables)
!2. Windows batch script to update dynv6 service
{{{
REM update_dynv6.bat
REM set utf-8
chcp 65001
echo off
set domain=<your.domain.here>
set token=<youtTokenHere>
echo ---- check and update local ipv6 address at dynv6.com for %domain% ----
rem ping -n 1 -6 %domain%
for /F "tokens=3" %%i in ('"ping -n 1 -6 %domain% | findstr Antwort"') do set dynv6_ipv6=%%i
rem cut last colon, example 2a02:5a0:4110:f590:29f6:40ba:51b4:b4da:
set dynv6_ipv6=%dynv6_ipv6:~0,-1%
echo dynv6 ipv6= %dynv6_ipv6%
rem ipconfig
rem echo ---------- extracting Temporäre IPv6-Adresse ----------
for /F "tokens=9" %%i in ('"ipconfig | findstr Temp | findstr 2a02"') do set local_ipv6=%%i
echo local ipv6= %local_ipv6%
if %local_ipv6% == %dynv6_ipv6% (
echo ipv6 at dynv6 is up to date, update skipped
) else (
set url="https://dynv6.com/api/update?hostname=%domain%^&token=%token%&ipv6=%ipv6%"
ECHO updating IPv6
curl "%url%"
)
echo:
echo done
pause
}}}
!! iptables
!Commands
{{{
> ls -la /usr/sbin/ip* # list all commands, there are many
> iptables* # for ipv4 (in debian busters = nft)
> ip6tables* # for ipv6 (in debian busters = nft)
> iptables-legacy # former ones, not nft
> iptables-nft # directly use nft
}}}
Notes:
* all iptables commands (for ipv4) have an ip__6__tabbles* equivalent (for ipv6)
* see [info|https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#using_iptables_nft] on nft
{{{
> who -u # get all sessions with ip and pid
> sudo netstat -pantW # list network connections, p=programs,a=all,n=IPs,t=tcp,W=wide(not truncate IP address)
> ip a # list all ips
> sudo ip6tables -L -v # list all ipv6 rules
> sudo ip6tables -n -v --line-numbers -L # list all ipv6 rules with numeric IPs and rule number
}}}
! Syntax
see [docu|https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s1-iptables-options#s2-iptables-options-structure]
{{{
> sudo iptables -L -v
> sudo iptables -n -v --line-numbers -L
> sudo service iptables start # activate firewalling
> sudo service ip6tables start
> sudo chkconfig iptables on # enable after reboot
> sudo chkconfig ip6tables on
}}}
{{{
iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>
}}}
* table-name
** like ~[filter, nat, mangle, raw, security~], if omitted we use "filter"
* command
** -F : flush current chain or all if omitted
** -X : deletes a user-specified chain or all if omitted
** -Z : zeros the byte and packet counters in all chains
** -A : apppend a rule at the end
** -I : inserts at a specified position (similar to replace -R), wihtout position at the top
** -P : a policy is a fall back and is used after all rules have passede** you can enable certain special addresses earlier
** -L : list all rules
* chain-name
** INPUT, FORWARD, OUTPUT (as listed with > iptables -L)
** you may invent new chain names, but this seems not to be common (command -N)
* parameter-1 (filter)
** -s : source filter (address~[/mask~]~[...~])
** -d : destination filter
** -p : protocoll filter like ~[icmp, tcp, udp, all~] or those in /etc/protocols, if omitted ALL protocols are considered
*** with -p tcp you can use --dport for destination port filter, any number
*** with -p udp you can use --dport for destination port and --sport as source port filter
*** ports can be also a range like 3000:3200 (all from 3000 to 3200)
*** with -p icmp you can use --icmp-type
** -i : interface like ~[eth0, lo, ppp0~], without name ALL interfaces are used
** -j : jump to ~[ACCEPT, DROP, QUEUE, RETURN~] (or others added with modules)
** -m : adds a comment when listing the rules, syntax >-m comment --comment "My comments here"<
* option-1 (target)
** ~[ACCEPT, DROP, QUEUE, RETURN~] (or others added with modules)
* option-n (listing options)
** -v : verbose output
** -n : displays IP addresses and port numbers in numeric format instead of hostname/network service
* notes
** the first three commands are usually used to create a fresh ruleset in a script
** in the chain list and then drop all other later
! 4. my general ruleset
We also need to enable the local interface and the DNS nameservers.\\
I use a custom DNS server setting, because the fritzbox does not resolve my dynv6 domains (?).
{{{
> sudo nmcli -o device show # show interfaces settings
> sudo nmcli -p connection show # show interface status
#THIS IS NECESSARY
> sudo nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1,8.8.8.8" # add cloudflare and google dns
> sudo nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns no # this adds "search fritz.box" to get ips at all from frit.box
> sudo nmcli con mod "Wired connection 1" ipv6.ignore-auto-dns yes # we skip ipv6 dns
> sudo nmcli c down "Wired connection 1" && sudo nmcli c up "Wired connection 1" # restart
> sudo vi /etc/resolv.conf # validate settings
}}}
{{{
#!/bin/bash
# MARKUS
SOURCE=::
# ipv4 ------------------------------------
# Flush all rules and delete all chains for a clean startup
iptables -F
iptables -X
iptables -Z # Zero out all counters
# drop all ipv4 traffic, we want to use ipv6 only
iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A OUTPUT -d 1.1.1.1 -j ACCEPT
iptables -A INPUT -s 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# ipv6 ------------------------------------
# Flush all rules and delete all chains for a clean startup
ip6tables -F
ip6tables -X
ip6tables -Z
# drop all ipv6 traffic, except EbelStube
# do not limit to --dport 22, because the source has random ports (?)
# add first to enabel replacing 1. rule later
ip6tables -A INPUT -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT
# allow ipv6 local loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# drop everthing else
ip6tables -P FORWARD DROP # as policy generally
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
# update first ip6tables rules and enable my computer
/home/markus/update_ip6tables.py
}}}
!! Python
* package "python3-iptables" manages legacy ones only, [docu1|https://python-iptables.readthedocs.io/en/latest/examples.html], [docu2|https://ldx.github.io/python-iptables/]
* package "python3-nftables" manages nft tables, [docu|https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html]
* alternatively you can use subprocess.run to call the original system commands
! 5. subprocess
{{{
#!/usr/bin/env python
import socket # determine ipv6
import subprocess
tupel = socket.getaddrinfo('your.pc.com', None, socket.AF_INET6)
# tupel like [(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:5a0:4110:f590:4670:d3e6:f2bc:ee', 8384, 0, 0))]
print("tupel=", tupel)
ipv6=tupel[0][4][0]
print("ipv6=", ipv6)
subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", "1", "-s", ipv6, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", "1", "-d", ipv6, "-j", "ACCEPT"])
}}}
! 6. Schedule script with crontab
Run every 15 minutes
{{{
> sudo crontab -u root -e
# add following
*/15 * * * * /home/markus/update_ip6tables.py
}}}