IPv6 firewall on Linux router
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
New contributor
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
New contributor
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
New contributor
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
iptables firewall routing nat ipv6
New contributor
New contributor
New contributor
asked 6 hours ago
Syn RomanaSyn Romana
82
82
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
170k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown