[ipv6hackers] ip6tables and fragmentation

Guillermo Lafuente Tejero guiye1984 at hotmail.com
Sun Feb 3 22:57:44 CET 2013

Hi Fernando,

many thanks for your reply.

> If you're doing stateless firewalling, you need to include rules that
> pass non-first fragments. Then security relies on:
> * The firewall's ability to properly filter first-fragments (i.e.,
> fragments with a Fragmet Offset of 0), *and*,
> * Whether the hosts "protected" by the firewall implement RFC 5722
> If you don't want/like this, you should do stateful filtering.

I'm using stateful filtering already. So for example, in the case of ICMPv6 echo request / reply I have the following rules:

-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT

I have later on another rule to make the firewall stateful:


Am I missing something?

> > Now the
> > application layer (or whatever layer is in charge of reassembling the
> > packet) will be waiting for the next fragment,
> The IPv6 layer ;-)

Yeah... obviously, blonde moment...

> > Is there any way of making ip6tables aware of the fragments? 
> You could include a last rule that passes packets that have the
> Fragmentation Header "protocol type"...

Wouldn't be this insecure as you would be blindly accepting any fragment blindly?
Any idea of how to implement such a rule in ip6tables?



More information about the Ipv6hackers mailing list