firewall ipv6 script

Discussion in 'Tomato Firmware' started by zatoom, Jun 1, 2014.

  1. zatoom

    zatoom Addicted to LI Member

    I have a question regarding ipv6 and firewall rules.
    I'm a noob on what scripting.
    Some info:
    Linksys e2000
    Tomato Firmware v1.28.7503 MIPSR2Toastman-RT K26 VPN
    IPv6 works and VPN works.
    I use Hurricane Electric IPv6 Tunnel Broker for ipv6 tunnel.
    The script below does not work well and I think it has to do with declarations.

    green0 (here LAN) and he-ipv6 (IPv6 tunnel).
    ip6tables= ??????
    green0= ????

    # Flush and remove chains
    ip6tables -F
    ip6tables -X
    # set default policy
    ip6tables -P OUTPUT  DROP
    ip6tables -P INPUT   DROP
    ip6tables -P FORWARD DROP
    # allow icmp
    ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
    # allow all IPv6 traffic on green0
    ip6tables -A INPUT  -i green0 -p all -j ACCEPT
    ip6tables -A OUTPUT -o green0 -p all -j ACCEPT
    # give green0 access to the internet
    ip6tables -A FORWARD -i green0 -j ACCEPT
    ip6tables -A FORWARD -i he-ipv6 -m state --state ESTABLISHED -j ACCEPT
    # Filter all packets that have RH0 headers:
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    # Allow HTTP and HTTPS
    ip6tables -A OUTPUT  -p tcp --dport 80 -j ACCEPT
    ip6tables -A INPUT   -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    ip6tables -A OUTPUT  -p tcp --dport 443 -j ACCEPT
    ip6tables -A INPUT   -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
    What do I need to change to make this work?
  2. Spyros

    Spyros LI Guru Member

    What's wrong with the default rules?
  3. zatoom

    zatoom Addicted to LI Member

    I want to close all IPv6 by default except the connections from within my network.
    I now make a fallacy about how and why I use the script?
  4. Matt Wilson

    Matt Wilson Networkin' Nut Member

    Are you saying that you don't want any external IPv6 access, or you just want to close the IPv6 ports to unsolicited outside access?

    If you don't want external IPv6 access remove the Hurricane Electric tunnel and shutdown any IPv6 transitions technologies such as Teredo on the devices on your network.

    If you want to close the external ports, are you saying that the options in the GUI don't support that or don't work properly. I'm using Tomato Firmware v1.28.7821 MIPSR1-Toastman-ND K26 USB Ext, and although it's older and in a different branch, it handles port forwarding/port blocking just as well as it does for IPv4. Things are close to unsolicited external traffic until I open up a port, and my outgoing IPv6 connections work just fine.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice