ip6tables: allow only lan clients with privacy extensions?

Discussion in 'Tomato Firmware' started by philess, May 19, 2013.

  1. philess

    philess Networkin' Nut Member

    Hey everyone,

    i am wondering if it is possible to block all connections using ip6tables for local clients
    which have NOT privacy extensions enabled? For example most smartphones do not
    have PE (yet) and i would like to disable IPv6 connectivity for those completely.
    PC clients using a modern OS with PE enabled should be allowed to connect.

    I am sure ip6tables does not allow something like regular expressions to match
    a pattern of source & destination IP´s. Is this at all possible somehow?
     
    darkknight93 likes this.
  2. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    So you'd rather have a whole load of hosts running around on your network with pseudo-random addresses and no means of identifying a particular address to a particular host?
     
  3. philess

    philess Networkin' Nut Member

    In this case, actually yes :) I wouldnt have to identify each host myself. No need for that. But i wouldnt
    want the clients to be identify-able from the outside. I know this is quite odd. But i am curious if its possible.
     
  4. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    Well a theoretical thinking out loud possibility: You could look in the ipv6 neighbours table (ip -6 neigh show) and map the known MAC addresses to IPv6 addresses according to SLAAC algorithm...if you get a match then the IPv6 address in theory isn't PE enabled. It's the sort of opposite of what 'dnsmasq's 'ra-names' option does where it looks for & wants matches :)

    Quite how that gets into iptables I've no idea - sounds like a custom filter/table module type thingy to me.
     
    philess likes this.
  5. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    And I see a means for a possible enhancement to the tomato device list page.
     
    philess likes this.
  6. philess

    philess Networkin' Nut Member

    Thank you KDB! I will look into that in the next few days.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice