IPv6 firewall on Linux router

I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

asked Mar 3 at 19:32

Syn Romana

132

add a comment |

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

asked Mar 3 at 19:32

Syn Romana

132

add a comment |

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

asked Mar 3 at 19:32

Syn Romana

132

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

iptables firewall routing nat ipv6

asked Mar 3 at 19:32

Syn Romana

132

asked Mar 3 at 19:32

Syn Romana

132

asked Mar 3 at 19:32

Syn Romana

132

asked Mar 3 at 19:32

Syn Romana

132

asked Mar 3 at 19:32

Syn Romana

132

add a comment |

1 Answer
1

active

oldest

votes

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

add a comment |

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

add a comment |

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

answered Mar 3 at 19:35

Michael Hampton♦

171k27314640

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

add a comment |

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

Yes, incoming traffic rule was an issue. Thanks for pointing that.

– Syn Romana
Mar 3 at 21:24

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Cfrgtkky