Porting iptables to ip6tables

A couple of days ago I received an email notification by the Berkeley Security Notifications Team that a Linux server of mine had less restrictive firewall rules for IPv6 than it had for IPv4. This prompted me to update my ip6tables settings on that host to make it is as secure via IPv6 as it was for IPv4.

If you have a dual stack server with IPv4 A records and IPv6 AAAA records published in DNS, you should have it protected with firewall rules on both protocols. Even if you only publish A records and not AAAA ones, you should secure IPv6 access because its address may leak to potential attackers in other ways.

The ip6tables tool is installed as part of iptables on recent distributions, but you need to set up one set of rules for each protocol. They’re independent of each other. A (not very secure) default ip6tables configuration might look like this:

# Generated by ip6tables-save v1.4.21 on Thu Sep 24 11:17:56 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1456:118498]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
# Completed on Thu Sep 24 11:17:56 2015

It’s relatively easy to port additional settings from iptables to ip6tables (e.g. in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for CentOS).

Below are some of the changes needed when porting common entries. As you can see, some names are replaced with those of IPv6 equivalents. Any IP addresses and CIDRs for ip6tables need to be written in IPv6 notation.

To easily port over IPv4 addresses, simply prefix them with “::ffff:”. If they’re followed by a bit count such as /24 (the routing prefix size), add 96 to that number (IPv6 addresses are 128 bits each versus 32 bits for IPv4). Add equivalent rules for the corresponding native IPv6 addresses as needed.

  1. Accept ping from any source:

    IPv4:

    -A INPUT -p icmp -j ACCEPT

    IPv6:

    -A INPUT -p ipv6-icmp -j ACCEPT

  2. Accept connection from white-listed address:

    IPv4:

    -A SSH-IN -s 123.45.67.89/32 -j ACCEPT

    IPv6:

    -A SSH-IN -s ::ffff:123.45.67.89/128 -j ACCEPT
    -A SSH-IN -s 2345:abcd:678:42::/64 -j ACCEPT

  3. Rule to block access (after all the exceptions):

    IPv4:

    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited

    IPV6:

    -A INPUT -j REJECT –reject-with icmp6-adm-prohibited
    -A FORWARD -j REJECT –reject-with icmp6-adm-prohibited

“Helfen Sie uns, Ihr eBay-Konto zu sch├╝tzen”

I received an email today that claimed to come from eBay Germany and at the first glance looked like yet another phishing scam, complete with link to a website for me to click on to “protect my account”. Even more suspiciously, the greeting at the top did not address me by my first name or full name.

Only when I looked at the message headers did I realize that the mail actually came from eBay’s mail servers. It was real. Still, as a simple precaution I typed eBay’s website address into a browser window to log in from scratch, ignoring the link in the email, just in case…

Later, when I had another look I noticed the small print at the bottom did actually mention my full name, again supporting that the mail was legitimate.

I found the whole experience pretty disappointing for a company of this size that has been in the business for so long and during that time has always been a prime target for phishing scams:

1. Please address the customer by their full name, otherwise you undermine years of education efforts. PayPal addresses all their customer mails to the full name of the recipient, why not eBay? Sceptical people may have ignored that email while for naive people it has made it harder to distinguish phishing mails from real mails.

2. Please do not ask people to click a link in an email claiming to be from you to go to a website that asks for their user name and password. Simply ask them to go to the eBay website in a browser and log in there. That removes any question whether any link is genuine or not or whether it’s safe to click on.

Don’t train customers to do things in your real business emails that phishing scammers would also like them to do, especially when there are alternatives.

Syria and the war against IS

The situation in Syria is getting ever more complex, with the Turkish air force shooting down a Russian SU-24 bomber on November 24, 2015. Several foreign countries are taking sides in the Syrian civil war and their declared objectives do not necessarily match up with their actions or those of their supposed allies.

The US is divided over its involvement in the war. President Obama made his name in national politics through his opposition to his predecessor’s war in Iraq. Sending US ground troops into Syria would carry many of the same risks encountered in Iraq. Therefore the US has restricted itself to air strikes and support of local proxies, including the Kurds.

Initially the US was aiming for regime change in Damascus, but more recently the fight against the “Islamic State” (IS) seems to have taken top priority. If the government in Damascus was defeated before an acceptable political alternative was ready to take over, the risk is that IS would acquire a huge amount of weapons, ammunition, territory and infrastructure from the collapsed regime.

Trying to step up its air warfare against IS, the US struck a bargain with next door Turkey, a NATO member, to use its Incirlik Air Base for attacks in Syria, a request that Turkey had denied them for a long time. No sooner had the US launched the first attacks from Turkish soil that Turkish airplanes started bombing Kurdish forces in Syria. According to President Erdogan, Turkey’s goal is “fighting terrorists”, and by that it mostly means the Kurdish PKK in Turkey and the Kurdish YPG in Syria.

It soon became obvious that the Turkish government sees the Kurds and not IS as enemy #1 within Syria. This had already transpired a year earlier in the siege of Kobani, when Turkey delayed and restricted reinforcements for the Kurdish defenders of the city against IS and asked the US not to make any air drops in their support.

Most foreign fighters joining IS arrive via Turkey and exports of fuel to Turkey are a major source of hard currency for IS. Turkey seems to have done little to stop either the flow of recruits or cash to IS, the Kurds’ worst enemy in Syria. Right now, the Kurds are America’s closest ally in Syria and Turkey’s worst enemy, even though the US and Turkey — as fellow NATO members — are supposed to be allies.

President Assad of Syria is fighting a war on several fronts, against the Al Qaeda-affiliated al-Nusra Front, the western-supported Free Syrian Army (FSA), IS and the Kurds. It is supported by Iran, by Hezbollah from Lebanon and by Russia. Assad and many members of the government and military are Alawites, a religious minority that is part of Shia Islam. The Alawites mostly live in the mountainous coastal region between Lebanon to the south and Turkish Hatay province in the north. Russia has its only naval base in the Mediterranean in Tartus, in the Alawite region. Regardless of whether the Assad family will remain in power or if the government can hold on to the capital of Damascus, the Alawites as an ethnic group have nowhere to go. Fear of Sunni Islamists taking revenge and maybe even committing genocide against the ethnic group of the current rulers ensures that Alawite forces will fight tenaciously to not lose control of their homeland in the west. Most observers agree that Syria is likely to end up divided, with a de-facto independent Alawite region established along the coast even if Sunni opposition forces conquer Damascus and set up a new national government.

Russia’s objective in supporting Assad is to remain relevant as a geo-political player. It has little to gain militarily, politically or economically by propping up the current bankrupt regime. But as long as Russia can be a thorn in the side of the US, Putin can demonstrate to Russians that their country is still a force to be reckoned with. In some ways Putin benefits domestically the same way as Erdogan, both burnishing their image as the local tough guy. That makes the Turkish-Russian clash even more dangerous. Just like Turkey, Russia got involved militarily to “fight terrorism”, only in its case the main target have been anti-government forces operating to the West of the IS-controlled territory, as opposed to the Kurds to the east. This also includes Turkmen, ethnic Turks in northern Syria, who were the target of the bombing run before the SU-24 was shot down by Turkish jets.

Neither Assad nor Russia place a high priority on fighting IS: If they were to defeat the barbaric hordes of IS, achieving regime change in Damascus would instantly rise to become the top priority of the US in this war again. Keeping IS in the mix is like a life insurance policy for Assad.

Shiite militia Hezbollah in Lebanon is supporting Assad with fighters. Shiites in Lebanon feel threatened by the prospect of militant Sunnis taking over next door. Lebanon suffered through a long period of civil war starting in the 1970s and is host to more than a million Syrian refugees now.

Talks have been ongoing for negotiating a cease-fire towards a political settlement. The idea is that all parties but IS would stop fighting each other, then gang up on IS and wipe it out. Finally they would agree to a new government, presumably led by the Sunni majority with some kind of autonomy for the Alawites and the Kurds. The shooting down of the Russian bomber has made this even less likely to happen any time soon. Erdogan is not particularly keen on any settlement that will create an autonomous or independent Kurdish entity south of the border, or linked up with Iraqi Kurdistan. As long as IS is there the Kurds will keep bleeding as a proxy for US ground troops that won’t get deployed.

IS will keep fighting as long as it can keep up the stream of recruits from outside the region and money from whatever sources they can lay their hands on. The more the west and Russia retaliate with military strikes and troops for acts of terrorism such as the ones in Paris or against the Russian tourists in Sinai, the easier it is for IS to sell its story as defending the “caliphate” against western “crusaders”. The war in Syria is still young compared to the jihad that has been going on in Afghanistan since the Russian invasion in 1979 and the US invasion in 2001.

I haven’t said much about Saudi Arabia and Qatar yet, two countries that would like to see a Sunni victory in Syria but are denying that they support Islamist extremists such as IS and al-Nusra Front. What mostly differentiates Saudi-Arabia from IS is not its ideology, but its oil wealth and its royal family. Ideologically they are actually quite close, for example both the Saudis and IS still practice crucifixion and neither tolerates other religions. The Saudi government opposes the likes of IS and Al-Qaeda not because they had different values, but because those militants regard the Saudi royals as corrupt and don’t recognize their authority. Saudi Arabia’s major rival in the Middle East is Iran, Syria’s main supporter. Supporting Sunni Islamists against Assad is a way of hurting Iran.

So, what will the outcome? Frankly, I am not hopeful. When next door neighbour Lebanon erupted into civil war in 1975, it took 15 years before the country could return to a fragile peace again. There are too many external powers involved in a proxy war in Syria and so much blood has been shed already, that a political settlement is unlikely any time soon. The conflict between the Saudis and Iran has recently escalated, following the execution of Shiite cleric Nimr al-Nimr, while Turkey has escalated its conflict with the Kurds and Russia. Even if Assad lost control of the capital, Russia is likely to keep supporting an Alawite rump state on the coast to keep its naval base and a seat at the table.

I would not be surprised if the war in Syria lasts another 10 years or more, if not for the sectarian and ethnic divisions within the country then because of the countries running the Syrian war as a regional proxy war, turning Syria into a burnt-out graveyard.