icmpv6-firewall.md

ICMPv6 Firewall Rules

Allow in ICMP messages (highly recommended)

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 128 \
-m --comment Permit-EchoRequest   -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 129 \
-m --comment Permit-EchoReply     -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 1   \
-m --comment Permit-DestUnreach   -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 2   \
-m --comment Permit-PacketTooBig  -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 3   \
-m --comment Permit-TimeExceeded  -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 \
-m --comment Permit-BadHeader     -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 \
-m --comment Permit-UnknownHeader -j ACCEPT

Forward ICMP messages (essential for routers)

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 \
-m --comment Permit-EchoRequest   -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 \
-m --comment Permit-EchoReply     -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1   \
-m --comment Permit-DestUnreach   -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2   \
-m --comment Permit-PacketTooBig  -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3   \
-m --comment Permit-TimeExceeded  -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 \
-m --comment Permit-BadHeader     -j ACCEPT

ip6tables -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 \
-m --comment Permit-UnknownHeader -j ACCEPT

Allow in Neighbour Discovery Messages (essential)

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 133 \
-m comment --comment Permit-RouterSolicit -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 134 \
-m comment --comment Permit-RouterAdvert  -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 135 \
-m comment --comment Permit-NeighSolicit  -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 134 \
-m comment --comment Permit-RouterAdvert  -j ACCEPT 

Multicast discovery (you probably don't need this)

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 \
-s fe80::/10 -m comment --comment Permit-MLDQuery  -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 \
-s fe80::/10 -m comment --comment Permit-MLDReport -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 \
-s fe80::/10 -m comment --comment Permit-MLDDone   -j ACCEPT

ip6tables -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 \
-s fe80::/10 -m comment --comment Permit-MLDV2     -j ACCEPT

Definitions

Router Solicitation (133):

• Sent out via multicast by hosts in order to discover a gateway.
• You do not need to accept these unless running a router. (in which case accept only received on an internal interface)
• Only valid with a hop limit equal to 255 ( explanation)

Router Advertisement (134) :

• Sent out via multicast by routers to announce their IP address; transmitted periodontally or in response to a router solicitation message.
• In most environments, for IPv6 functionality, hosts do need accept these
• Only valid with a hop limit equal to 255
• Filter/audit by MAC address to mitigate/detect rogue devices

Neighbour Solicitation / Advertisement (135/136):

• IPv6 equivalent to ARP “Who has?” / “Is At”
• Sent out via multicast by nodes in order to discover their neighbours

Redirect (137)

• Redirect messages are sent by routers to redirect a host to a better first-hop router or to ­inform hosts that a destination is on-link
• Only valid with a hop limit equal to 255

Hop limit

For these types of ICMPv6 messages, rfc4890 prescribes verifying the hop limit field equals 255. The reason for this is to ensure the packet originated from a link neighbour. Each subsequent hop subtracts the hop limit, so only a link neighbour would have a value of 255