I was reading this article this morning on IPv6 vulnerabilities and specifically the IPv6′s type 0 routing headers. The recommendation is to disable the routing of these headers, as they have no practical purpose anyway.
After doing some Googling, I read that this kind of header was disabled by default in Linux kernels starting with version 2.6.20.9. This server is running version 2.6.9-42. The workaround here is to filter out those packets at the firewall level. Fine, except for the fact that ip6tables on RHEL4 and CentOS4 does not include the plugin to filter out the routing headers. Hence, you need to recompile the iptables package with the ip6rt module enabled. That’s just a small Makefile editing.
To make life easier for you, here are my RPM and SRPM:
iptables-ipv6-1.2.11-3.1.isoc.i386.rpm
iptables-1.2.11-3.1.isoc.src.rpm
Once installed, do not forget to add the following lines at the top of the /etc/sysconfig/ip6tables file, near the top and before allowing anything else :
-A INPUT -m rt --rt-type 0 -j DROP -A FORWARD -m rt --rt-type 0 -j DROP -A OUTPUT -m rt --rt-type 0 -j DROP
Of course, if you are not running IPv6 at all, this is not an issue for you. And if you are using another distribution, your mileage may vary, as they say.
Pages:
Recent Comments