[TriLUG] Late night IPv6
Igor Partola
igor at igorpartola.com
Fri May 10 11:30:38 EDT 2013
On Fri, May 10, 2013 at 11:23 AM, Bill Farrow <bill at arrowsreach.com> wrote:
> On Fri, May 10, 2013 at 10:49 AM, Igor Partola <igor at igorpartola.com>
> wrote:
> > I hope you also enabled the firewall to safeguard your home network.
> > Otherwise, bad things (tm) are bound to happen :).
>
> Thanks for the reminder. I have installed the IPv6 firewall packages.
> Can you suggest some firewall rules ?
> opkg install kmod-ip6tables ip6tables
>
I documented the ones I use here:
http://igorpartola.com/ipv6-2/you-need-ipv6-now-and-heres-how-to-get-it
In short:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -s 2001:4830:xxxx:xxx::/64 -j ACCEPT
ip6tables -A INPUT -s 2001:4830:xxxx:Yxxx::/64 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
ip6tables -A FORWARD -s 2001:4830:xxxx:Yxxx::/64 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -j DROP
Basically, allow existing connections, port 22, tunnel subnet
(2001:4830:xxxx:xxx::/64), routed subnet (2001:4830:xxxx:Yxxx::/64), and
ICMPv6.
Igor
More information about the TriLUG
mailing list