1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ip6tables: allow only lan clients with privacy extensions?

Discussion in 'Tomato Firmware' started by philess, May 19, 2013.

  1. philess

    philess Networkin' Nut Member

    Hey everyone,

    i am wondering if it is possible to block all connections using ip6tables for local clients
    which have NOT privacy extensions enabled? For example most smartphones do not
    have PE (yet) and i would like to disable IPv6 connectivity for those completely.
    PC clients using a modern OS with PE enabled should be allowed to connect.

    I am sure ip6tables does not allow something like regular expressions to match
    a pattern of source & destination IP´s. Is this at all possible somehow?
     
    darkknight93 likes this.
  2. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    So you'd rather have a whole load of hosts running around on your network with pseudo-random addresses and no means of identifying a particular address to a particular host?
     
  3. philess

    philess Networkin' Nut Member

    In this case, actually yes :) I wouldnt have to identify each host myself. No need for that. But i wouldnt
    want the clients to be identify-able from the outside. I know this is quite odd. But i am curious if its possible.
     
  4. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    Well a theoretical thinking out loud possibility: You could look in the ipv6 neighbours table (ip -6 neigh show) and map the known MAC addresses to IPv6 addresses according to SLAAC algorithm...if you get a match then the IPv6 address in theory isn't PE enabled. It's the sort of opposite of what 'dnsmasq's 'ra-names' option does where it looks for & wants matches :)

    Quite how that gets into iptables I've no idea - sounds like a custom filter/table module type thingy to me.
     
    philess likes this.
  5. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    And I see a means for a possible enhancement to the tomato device list page.
     
    philess likes this.
  6. philess

    philess Networkin' Nut Member

    Thank you KDB! I will look into that in the next few days.
     

Share This Page