IPv6 firewall on Linux router












1















I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.



#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT

ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP


What did I miss here?










share|improve this question







New contributor




Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    1















    I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.



    #!/bin/bash
    PUBIF="he-ipv6"
    LOCIF="vmbr0"
    echo "Starting IPv6 firewall..."
    ip6tables -F
    ip6tables -X
    ip6tables -t mangle -F
    ip6tables -t mangle -X

    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT

    ip6tables -P INPUT DROP
    ip6tables -P OUTPUT DROP
    ip6tables -P FORWARD DROP

    ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

    ip6tables -A INPUT -s fe80::/10 -j ACCEPT
    ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

    ip6tables -A INPUT -d ff00::/8 -j ACCEPT
    ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

    ip6tables -A INPUT -i $LOCIF -j ACCEPT
    ip6tables -A OUTPUT -o $LOCIF -j ACCEPT

    ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
    ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
    ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

    ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT

    ip6tables -A INPUT -i $PUBIF -j LOG
    ip6tables -A INPUT -i $PUBIF -j DROP


    What did I miss here?










    share|improve this question







    New contributor




    Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      1












      1








      1








      I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.



      #!/bin/bash
      PUBIF="he-ipv6"
      LOCIF="vmbr0"
      echo "Starting IPv6 firewall..."
      ip6tables -F
      ip6tables -X
      ip6tables -t mangle -F
      ip6tables -t mangle -X

      ip6tables -A INPUT -i lo -j ACCEPT
      ip6tables -A OUTPUT -o lo -j ACCEPT

      ip6tables -P INPUT DROP
      ip6tables -P OUTPUT DROP
      ip6tables -P FORWARD DROP

      ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
      ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

      ip6tables -A INPUT -m rt --rt-type 0 -j DROP
      ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
      ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

      ip6tables -A INPUT -d ff00::/8 -j ACCEPT
      ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

      ip6tables -A INPUT -i $LOCIF -j ACCEPT
      ip6tables -A OUTPUT -o $LOCIF -j ACCEPT

      ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
      ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
      ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
      ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -j LOG
      ip6tables -A INPUT -i $PUBIF -j DROP


      What did I miss here?










      share|improve this question







      New contributor




      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.



      #!/bin/bash
      PUBIF="he-ipv6"
      LOCIF="vmbr0"
      echo "Starting IPv6 firewall..."
      ip6tables -F
      ip6tables -X
      ip6tables -t mangle -F
      ip6tables -t mangle -X

      ip6tables -A INPUT -i lo -j ACCEPT
      ip6tables -A OUTPUT -o lo -j ACCEPT

      ip6tables -P INPUT DROP
      ip6tables -P OUTPUT DROP
      ip6tables -P FORWARD DROP

      ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
      ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

      ip6tables -A INPUT -m rt --rt-type 0 -j DROP
      ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
      ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

      ip6tables -A INPUT -d ff00::/8 -j ACCEPT
      ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

      ip6tables -A INPUT -i $LOCIF -j ACCEPT
      ip6tables -A OUTPUT -o $LOCIF -j ACCEPT

      ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
      ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
      ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
      ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT

      ip6tables -A INPUT -i $PUBIF -j LOG
      ip6tables -A INPUT -i $PUBIF -j DROP


      What did I miss here?







      iptables firewall routing nat ipv6






      share|improve this question







      New contributor




      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      Syn RomanaSyn Romana

      82




      82




      New contributor




      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          3














          You're only allowing ICMP inward!



          ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT


          Compare it to the previous rule where you allow all traffic outward.



          ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT




          BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.



          ip6tables -A INPUT -m rt --rt-type 0 -j DROP
          ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
          ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP





          share|improve this answer
























          • Yes, incoming traffic rule was an issue. Thanks for pointing that.

            – Syn Romana
            4 hours ago











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          You're only allowing ICMP inward!



          ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT


          Compare it to the previous rule where you allow all traffic outward.



          ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT




          BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.



          ip6tables -A INPUT -m rt --rt-type 0 -j DROP
          ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
          ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP





          share|improve this answer
























          • Yes, incoming traffic rule was an issue. Thanks for pointing that.

            – Syn Romana
            4 hours ago
















          3














          You're only allowing ICMP inward!



          ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT


          Compare it to the previous rule where you allow all traffic outward.



          ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT




          BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.



          ip6tables -A INPUT -m rt --rt-type 0 -j DROP
          ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
          ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP





          share|improve this answer
























          • Yes, incoming traffic rule was an issue. Thanks for pointing that.

            – Syn Romana
            4 hours ago














          3












          3








          3







          You're only allowing ICMP inward!



          ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT


          Compare it to the previous rule where you allow all traffic outward.



          ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT




          BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.



          ip6tables -A INPUT -m rt --rt-type 0 -j DROP
          ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
          ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP





          share|improve this answer













          You're only allowing ICMP inward!



          ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT


          Compare it to the previous rule where you allow all traffic outward.



          ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT




          BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.



          ip6tables -A INPUT -m rt --rt-type 0 -j DROP
          ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
          ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 6 hours ago









          Michael HamptonMichael Hampton

          170k27312636




          170k27312636













          • Yes, incoming traffic rule was an issue. Thanks for pointing that.

            – Syn Romana
            4 hours ago



















          • Yes, incoming traffic rule was an issue. Thanks for pointing that.

            – Syn Romana
            4 hours ago

















          Yes, incoming traffic rule was an issue. Thanks for pointing that.

          – Syn Romana
          4 hours ago





          Yes, incoming traffic rule was an issue. Thanks for pointing that.

          – Syn Romana
          4 hours ago










          Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.













          Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.












          Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

          Mangá

          Eduardo VII do Reino Unido