Dies ist Version 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 . Es handelt sich nicht um die aktuelle Version und kann folglich auch nicht geändert werden.

[Zurück zur aktuellen Version][Diese Version wiederherstellen]

Scope#

Raspberry is exposed to the internet for my backup solution. I want to enable ipv6 access only and enable access only from my home computer.
Steps:

1. register your home computer (Windows) at a dyndns service to provide the current ipv6, see dynv6.com
2. Windows: create windows batch script to update dynv6
3. Windows schedule script to run each time the PC is booted, see "Aufgabenplanung" (task scheduler)
4. Raspberry: create and set iptables ruleset
5. Raspberry: use python script to query the current ipv6 from dynv6 (Windows) and replace in iptables ruleset
6. Raspberry: schedule the ipv6 update in firewall (ip6tables)

2. Windows batch script to update dynv6 service#

REM update_dynv6.bat

REM set utf-8
chcp 65001      

echo off
set domain=<your.domain.here>
set token=<youtTokenHere>

echo ---- check and update local ipv6 address at dynv6.com for %domain% ----

rem ping -n 1 -6 %domain%
for /F "tokens=3" %%i in ('"ping -n 1 -6 %domain% | findstr Antwort"')  do set dynv6_ipv6=%%i
rem cut last colon, example 2a02:5a0:4110:f590:29f6:40ba:51b4:b4da:
set dynv6_ipv6=%dynv6_ipv6:~0,-1%
echo dynv6 ipv6= %dynv6_ipv6%

rem ipconfig
rem echo ---------- extracting Temporäre IPv6-Adresse ----------
for /F "tokens=9" %%i in ('"ipconfig | findstr Temp | findstr 2a02"')  do set local_ipv6=%%i
echo local ipv6= %local_ipv6%

if %local_ipv6% == %dynv6_ipv6% (
    echo ipv6 at dynv6 is up to date, update skipped
) else (
    set url="https://dynv6.com/api/update?hostname=%domain%^&token=%token%&ipv6=%ipv6%"
    ECHO updating IPv6
    curl "%url%"   
)

echo:
echo done
pause

iptables#

Commands#

> ls -la /usr/sbin/ip*  # list all commands, there are many
> iptables*             # for ipv4 (in debian busters = nft)
> ip6tables*            # for ipv6 (in debian busters = nft)
> iptables-legacy       # former ones, not nft
> iptables-nft          # directly use nft

Notes:

• all iptables commands (for ipv4) have an ip6tabbles* equivalent (for ipv6)
• see info on nft

> who -u                      # get all sessions with ip and pid
> sudo netstat -pantW         # list network connections, p=programs,a=all,n=IPs,t=tcp,W=wide(not truncate IP address) 
> ip a                        # list all ips
> sudo ip6tables -L -v        # list all ipv6 rules
> sudo ip6tables -n -v --line-numbers -L     # list all ipv6 rules with numeric IPs and rule number

Syntax#

see docu

> sudo iptables -L -v 
> sudo iptables -n -v --line-numbers -L 
> sudo service iptables start		# activate firewalling
> sudo service ip6tables start
> sudo chkconfig iptables on		# enable after reboot
> sudo chkconfig ip6tables on

iptables [-t <table-name>] <command> <chain-name> <parameter-1>  <option-1> <parameter-n> <option-n>

• table-name
  • like [filter, nat, mangle, raw, security], if omitted we use "filter"
• command
  • -F : flush current chain or all if omitted
  • -X : deletes a user-specified chain or all if omitted
  • -Z : zeros the byte and packet counters in all chains
  • -A : apppend a rule at the end
  • -I : inserts at a specified position (similar to replace -R), wihtout position at the top
  • -P : a policy is a fall back and is used after all rules have passede** you can enable certain special addresses earlier
  • -L : list all rules
• chain-name
  • INPUT, FORWARD, OUTPUT (as listed with > iptables -L)
  • you may invent new chain names, but this seems not to be common (command -N)
• parameter-1 (filter)
  • -s : source filter (address[/mask][...])
  • -d : destination filter
  • -p : protocoll filter like [icmp, tcp, udp, all] or those in /etc/protocols, if omitted ALL protocols are considered
    • with -p tcp you can use --dport for destination port filter, any number
    • with -p udp you can use --dport for destination port and --sport as source port filter
    • ports can be also a range like 3000:3200 (all from 3000 to 3200)
    • with -p icmp you can use --icmp-type
  • -i : interface like [eth0, lo, ppp0], without name ALL interfaces are used
  • -j : jump to [ACCEPT, DROP, QUEUE, RETURN] (or others added with modules)
  • -m : adds a comment when listing the rules, syntax >-m comment --comment "My comments here"<
• option-1 (target)
  • [ACCEPT, DROP, QUEUE, RETURN] (or others added with modules)
• option-n (listing options)
  • -v : verbose output
  • -n : displays IP addresses and port numbers in numeric format instead of hostname/network service
• notes
  • the first three commands are usually used to create a fresh ruleset in a script
  • in the chain list and then drop all other later

4. my general ruleset#

#!/bin/bash

# MARKUS

#SOURCE=2a02:5a0:4110:f590:fdd3:3e99:a137:852c
SOURCE=::

# ipv4 ------------------------------------
# Flush all rules and delete all chains for a clean startup
iptables -F
iptables -X
iptables -Z             # Zero out all counters

# drop all ipv4 traffic, we want to use ipv6 only
iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A OUTPUT -d 1.1.1.1 -j ACCEPT
iptables -A INPUT -s 8.8.8.8 -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

# ipv6 ------------------------------------
# Flush all rules and delete all chains for a clean startup
ip6tables -F
ip6tables -X
ip6tables -Z

# drop all ipv6 traffic, except EbelStube
# do not limit to --dport 22, because the source has random ports (?)
# add first to enabel replacing 1. rule later
ip6tables -A INPUT  -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT

# allow ipv6 local loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# drop everthing else
ip6tables -P FORWARD DROP               # as policy generally
ip6tables -A INPUT  -j DROP
ip6tables -A OUTPUT -j DROP

# update first ip6tables rules and enable my computer
python update_ip6tables.py

Python#

• package "python3-iptables" manages legacy ones only, docu1, docu2
• package "python3-nftables" manages nft tables, docu
• alternatively you can use subprocess.run to call the original system commands

5. subprocess#

import socket   # determine ipv6
import subprocess

tupel = socket.getaddrinfo('your.pc.com', None, socket.AF_INET6)
# tupel like [(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:5a0:4110:f590:4670:d3e6:f2bc:ee', 8384, 0, 0))]
print("tupel=", tupel)

ipv6=tupel[0][4][0]
print("ipv6=", ipv6)

subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", "1", "-s", ipv6, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", "1", "-d", ipv6, "-j", "ACCEPT"])

6. Schedule script with crontab#

Run every 15 minutes

*/15 * * * mon /home/markus/yourscript.sh