CentOS - Jan 2011 - IPv6, HE tunnel and ip6tables problems

CentOS 5.5, fully patched.

I have a HE tunnel (tunnelbroker.net) IPv6 tunnel.  This works pretty
well and is simple to setup.  Everything works fine.

Until I try to set up an ip6tables firewall.

eg if I try to view https://dnssec.surfnet.nl/?p=464 then the page never
displays and the firewall shows
kernel: IN=sit1 OUT=eth0 SRC=2001:0610:0001:40cd:0145:0100:0186:0033
DST=my.machine LEN=80 TC=0 HOPLIMIT=56 FLOWLBL=0 PROTO=TCP SPT=443 DPT=40367
WINDOW=5712 RES=0x00 ACK SYN URGP=0

I also see some DNS issues
kernel: IN=sit1 OUT=eth0 SRC=2001:0620:0000:0009:0000:0000:0000:1103
DST=my.machine LEN=542 TC=0 HOPLIMIT=54 FLOWLBL=0 FRAG:1232 ID:0086942f
PROTO=UDP
(the source address here is ns1.zurich.surf.net).

I'm wondering if this is due to fragmentation, but I'm only guessing.
The
dnssec page refered to above indicates there may be a fragment re-assembly
issue causing ip6tables problems.

Now I'm a newbie to IPv6 so I might be making a mistake.  This is
my firewall script.

  #!/bin/bash
  IPT6="/sbin/ip6tables"
  PUBIF="sit1"
  LOCAL="eth0"

  echo "Starting IPv6 firewall..."
  $IPT6 -F
  $IPT6 -X
  $IPT6 -t mangle -F
  $IPT6 -t mangle -X
 
  #unlimited access to loopback
  $IPT6 -A INPUT -i lo -j ACCEPT
  $IPT6 -A OUTPUT -o lo -j ACCEPT
 
  # Defaults
  $IPT6 -P INPUT DROP
  $IPT6 -P OUTPUT ACCEPT
  $IPT6 -P FORWARD DROP
 
  both()
  {
    $IPT6 -A INPUT $@
    $IPT6 -A FORWARD $@
  }

  # Allow full outgoing connection but no incomming stuff
  both -i $LOCAL -j ACCEPT
  both -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
 
  # allow incoming ICMP ping pong stuff
  both -p ipv6-icmp -j ACCEPT
 
  # IP6 DNS
  both -i $PUBIF -p tcp --destination-port 53 -j ACCEPT
  both -i $PUBIF -p udp --destination-port 53 -j ACCEPT
  both -i $PUBIF -p tcp --source-port 53 -j ACCEPT
  both -i $PUBIF -p udp --source-port 53 -j ACCEPT

  # IP6 from known good machine that I want to access internal network
  both -i $PUBIF -p tcp --source remote.machine -j ACCEPT
  both -i $PUBIF -p udp --source remote.machine -j ACCEPT

  # log and drop everything else
  both -i $PUBIF -j LOG
  both -i $PUBIF -j DROP

It might be that I need to compile a generic kernel; apparently >
2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.

Maybe CentOS 6 (*nudge nudge*) will work :-)

I'm not sure I want to leave my home network on IPv6 without a firewall;
not sure I trust all the machines I have on local network to be safe
from remote probes!

I wonder if anyone has any suggestions...

Thanks!

-- 

rgds
Stephen

-------- Original Message  --------
Subject: [CentOS] IPv6, HE tunnel and ip6tables problems
From: Stephen Harris <lists at spuddy.org>
To: CentOS mailing list <centos at centos.org>
Date: Tuesday, January 11, 2011 1:09:25 PM
> CentOS 5.5, fully patched.
>
> I have a HE tunnel (tunnelbroker.net) IPv6 tunnel.  This works pretty
> well and is simple to setup.  Everything works fine.
>
> Until I try to set up an ip6tables firewall.
>
...
> It might be that I need to compile a generic kernel; apparently >
> 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.
>
> Maybe CentOS 6 (*nudge nudge*) will work :-)
>
> I'm not sure I want to leave my home network on IPv6 without a
firewall;
> not sure I trust all the machines I have on local network to be safe
> from remote probes!
>
> I wonder if anyone has any suggestions...
>
> Thanks!
>
I have been waiting for RHEL6/CentOS6 because, as I understand it,
CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic
would have to have a default ACCEPT policy or only specific applications
allowed (based on source port) on a case by case basis. Perhaps this is
the issue you are running into. However, I would think you'd receive an
error attempting to set "--state ESTABLISHED,RELATED" within iptables
if
this were the case.

I would be delighted if someone could share their experiences with ip6
and CentOS5, especially from a security or service provider standpoint.

--Blake