Profile Applicability:
 • Level 1

Description:
 Configuring ip6tables to allow outbound traffic and accept established or related inbound connections ensures that legitimate IPv6 network communication is maintained, while protecting the system from unauthorized access.

Rationale:
 Allowing outbound and established connections supports normal network operations and session continuity, preventing disruptions while maintaining firewall security.

Impact:
 Pros:

  • Maintains essential IPv6 network connectivity for services.

  • Supports stateful firewall operation for IPv6 traffic.

Cons:

  • Misconfiguration may allow unintended traffic or block legitimate connections.

Default Value:
 ip6tables may not have explicit rules for outbound and established connections by default.

Pre-requisites:

  • Root or sudo privileges to configure IPv6 firewall rules.

Remediation:

Test Plan:

Using Linux command line:

1. List current ip6tables rules for outbound and established connections:

ip6tables -L OUTPUT -v -n  
ip6tables -L INPUT -v -n | grep ESTABLISHED

2. Verify rules exist to allow outbound traffic and accept established/related inbound packets.

Implementation Plan:

Using Linux command line:

1. Add rules to allow outbound and established connections, for example:

ip6tables -A OUTPUT -j ACCEPT  
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

2. Save ip6tables rules to persist after reboot:

service ip6tables save  # or equivalent command

3. Verify rules are active:

ip6tables -L OUTPUT -v -n  
ip6tables -L INPUT -v -n | grep ESTABLISHED

Backout Plan:

Using Linux command line:

1. Remove rules if necessary:

ip6tables -D OUTPUT -j ACCEPT  
ip6tables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

2. Save changes and verify rule removal.

References: