Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


IPv6 Firewall/Security on OVZ
New on LowEndTalk? Please Register and read our Community Rules.

IPv6 Firewall/Security on OVZ

nstormnstorm Member
edited January 2013 in General

What do you do to secure IPv6 ports of your OpenVZ boxes?

It's not a problem to configure an iptables for IPv4. But when it comes to the IPv6... sigh Yes, you can install ip6tables. But most nodes doesn't have the support even for STATE module in kernel for IPv6. Means you have only basic firewall functions. But most of the services usually will listen on all interfaces/IPs (including IPv6) by default.

Means for example if you firewalled SSH on the IPv4, it will usually still stays open on IPv6 connections. If you enable DROP policy for the IPv6 INPUT tables, this will break your IPv6 connectivity, as no reverse packets will be passing through. And most of the times you cannot add the common automagical "-m state --state RELATED,ESTABLISHED -j ACCEPT". At least LEB boxes I've tried (except for the FRH - respect!) don't have a modules for ip6tables.

Lets assume you are using your LEB box for a single "public" service. Like webhosting, minecraft, etc.

So I wonder how to secure this point? Ask your provider to build some IPv6 modules and setup a correct firewalling on IPv6 (not everyone will agree)? Use a basic ip6tables as stateless firewall (rules are sick this way)? Disable IPv6 listening for private services (like SSH)? Don't care for now because IPv6 are rarely targeted by hackbots?

Comments

  • rm_rm_ Member
    edited January 2013

    1) Just toss the crappy OpenVZ and get Xen/KVM.

    2)

    @nstorm said: Use a basic ip6tables as stateless firewall

    Yes. Not sure about 2.6.32, but on 2.6.18 stateful firewall for IPv6 just plain does not work (--state ESTABLISHED,RELATED will match nothing, or everything, I don't remember which). So even if you manage to get the host to load all the modules you need (and GOOD LUCK TO HAVE THEM STILL LOADED AFTER THE NODE REBOOTS), you end up with a firewall capable of only dropping packets to incoming ports you want to protect (e.g. 22), and not much else.

  • nstormnstorm Member
    edited January 2013

    1) It looks like this is a LET feature to suggest KVM instead of OVZ in any case. So... WHT!? =/
    I don't need features KVM are offering and don't like the overhead of it. But this is not an another thread about os-level vs full virt.

    2) It was fixed:
    # uname -a
    Linux denver 2.6.32-042stab062.2
    # ip6tables -L -v -n
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    5 520 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all lo * ::/0 ::/0
    1 104 ACCEPT icmpv6 * * ::/0 ::/0

    # /etc/init.d/ip6tables save
    ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
    # reboot

    # ip6tables -L -v -n
    Chain INPUT (policy DROP 2 packets, 160 bytes)
    pkts bytes target prot opt in out source destination
    1 104 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all lo * ::/0 ::/0
    1 104 ACCEPT icmpv6 * * ::/0 ::/0

    And it really works indeed. After the reboot and these rules are autoloaded I can connect to the google.com via IPv6 and receive data (for example).

  • KVM is not always the only alternative.
    Xen-PV is almost as good and has lower overhead than KVM. You can also compile own kernel if you wish and keep it xen compatible, so anything goes.

  • SpiritSpirit Member
    edited January 2013

    Op did not come here to discuss about various type of virtualizations... Many still use and will use OpenVZ with IPv6 in future.

  • rm_rm_ Member

    @Spirit said: Op did not come here to discuss about various type of virtualizations.

    Correct, they asked about a specific problem, and KVM/Xen is not only a solution to this problem, but to a whole class of similar ones. I am not saying this as a KVM or Xen fan, but as someone who spent a lot of time waiting on tickets for providers to load some module for me, or to restore it, because every time they reboot their damn node, it's not loaded again.

  • Yeah, fair point.

  • @Spirit is right. I've even put "OVZ" @ the topic title. I know that KVM/Xen are lacking this issue. But lets assume the migration is not an option and get back on topic. So far OpenVZ seems to be a most popular LEB virtualization type. So I was asking how people are treating IPv6 firewalls on their existing OVZ boxes. Please lets stick to the OpenVZ only.

  • I did issue a support last year for a module to be loaded by my provider, so that stateful will work. It was declined.

  • Any lazy provider should be named and shamed! Don't you think?

  • @Miky said: Any lazy provider should be named and shamed! Don't you think?

    Well the reason given is so that other clients will not be affected.

  • OVZ is a horrible hack overall. Any module loaded introduces risks for stability and some people might think that it is better to have one less customer than one less stable node.

  • So anyone else could reply on topic?

  • compuguycompuguy Member
    edited March 2013

    @nstorm said: Means for example if you firewalled SSH on the IPv4, it will usually still stays open on IPv6 connections. If you enable DROP policy for the IPv6 INPUT tables, this will break your IPv6 connectivity, as no reverse packets will be passing through. And most of the times you cannot add the common automagical "-m state --state RELATED,ESTABLISHED -j ACCEPT". At least LEB boxes I've tried (except for the FRH - respect!) don't have a modules for ip6tables.

    How did you fix this issue?? I'm having the same exact issue with another host, and I'm lost as to how to resolve this ip6tables issue...

    Edit: Added the correct quote.

  • @compuguy not sure if you got that right here. By "it was fixed" I were replied about the issue @rm_ wrote about:

    GOOD LUCK TO HAVE THEM STILL LOADED AFTER THE NODE REBOOTS

    I've pointed out that in 2.6.32 based kernels it loads fine after reboot.

  • compuguycompuguy Member
    edited March 2013

    @nstorm I guess I misquoted in my previous post. What I was trying to ask was what module did you enable that allows for ip6tables to properly process this rule: "-m state --state RELATED,ESTABLISHED -j ACCEPT"? I'm having the same exact issue you had in the OT, and I'm at a loss as to how to solve/fix it.

  • rm_rm_ Member
    edited March 2013

    @nstorm said: I've pointed out that in 2.6.32 based kernels it loads fine after reboot.

    What "it"? And no, everything doesn't start to automatically work fine with 2.6.32. The issue I mentioned (loaded modules that disappear after a node reboot) depends on competency of the host with OpenVZ, not on the kernel version. Some hosts have zero problems ensuring everything stays loaded on 2.6.18, but with the less competent ones you will have issues even on 2.6.32. But like I said my solution is staying away from OpenVZ entirely.

    @compuguy said: what module did you enable that allows for ip6tables to properly process this rule: "-m state --state RELATED,ESTABLISHED -j ACCEPT"?

    This is not a module issue. It is just not possible at all if your host uses 2.6.18. Stateful firewall did not support IPv6 in that ancient kernel.

  • @rm_ said: There is no module to load. It is just not possible at all if your host uses 2.6.18.

    Based on uname -a, my host appears to be using 2.6.32, but the issue that the OP describes is still happening.

    2.6.32-308.8.2.el5.028stab101.1 #1 SMP Sun Jun 24 20:25:35 MSD 2012 x86_64 GNU/Linux

  • rm_rm_ Member
    edited March 2013

    @compuguy There is a mechanism in OpenVZ for 2.6.18 kernel to spoof itself to appear as 2.6.32, so that newer distros (and specifically glibc) don't refuse to work. So it is still possible it's 2.6.18.

  • @compuguy said: 2.6.32-308.8.2.el5.028stab101.1

    This is 2.6.18

    Thanked by 1Nick_A
  • @rds100 said: This is 2.6.18

    Thanks for confirming my fears....I guess I can try convincing them to move to a true 2.6.32 kernel. If that doesn't work, is there anyway to rig up some semblance of a firewall without nf_conntrack_ipv6?

  • rds100rds100 Member
    edited March 2013

    I doubt any host would decide to change their node's kernel just because a customer asked them :)
    But maybe they have other nodes with 2.6.32 kernel. Ask them.
    There is a reason why people still use 2.6.18 - stability.

  • In the end they just offered to move me to a kvm hardware node with the same resources as the openvz node. I'm just going to go with that.....

    @rds100 said: I doubt any host would decide to change their node's kernel just because a customer asked them :)

    But maybe they have other nodes with 2.6.32 kernel. Ask them.
    There is a reason why people still use 2.6.18 - stability.

  • Was one of the lead bidders on the fliphost 1 tb storage VPS. Having the same wonderful issues with ip6tables/shorewall6:

    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

    On the other hand...my OVerZold VPS works like a dream...I didn't even have to open a ticket to get modules enabled......I wish it was that easy with other OpenVZ hosts...sigh.

Sign In or Register to comment.