Skip to content

Instantly share code, notes, and snippets.

@pklaus

pklaus/etc_firewall.ipv6net.sh

Created April 12, 2012 22:34
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save pklaus/2371495 to your computer and use it in GitHub Desktop.
Save pklaus/2371495 to your computer and use it in GitHub Desktop.
Download ZIP
Firewall Rules for IPv6 on OpenWrt via Tunnels
Raw
etc_firewall.ipv6net.sh
#!/bin/ash
# Found on https://forum.openwrt.org/viewtopic.php?pid=135197
#
# Some important definitions used by this script.
# Only edit these in case something has changed and if you know
# what you are doing.
#
# IPT6: path to the ip6tables binary
# IF: name of the LAN interface (or bridge) where all the machines that need
# IPv6 connectivity are connected
# SIXXS: the name of the interface identifying the sixxs-tunnel
# PREFIX: The IPv6-Prefix of your network
IPT6="/usr/sbin/ip6tables"
IF="br-lan"
SIXXS="ipv6net"
PREFIX="2001:fb17:4d0d::/48"
#
# Host IP address definitions
#
# Here you can define all the ip addresses of hosts that need
# some kind of special configuration, like port forwarding.
# The default configuration is to allow all outgoing traffic
# and to disallow all incoming traffic including ICMP as such.
host_micron="2001:1234:5678:fefe:1234:5678:9abc:def0"
#
# All your custom rules should be placed inside the custom_rules() function
# below. This ensures that they are executed after all the default rules
# have been properly set.
#
custom_rules() {
# Allow SSH access via port 22
$IPT6 -A INPUT -i $SIXXS -p tcp --dport 22 -j ACCEPT
# Allow OSPFv3
$IPT6 -A INPUT -i $SIXXS -p ospf -j ACCEPT
# Allow Access to port 80 and 22 on micron
#$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 80 -d $host_micron -j ACCEPT
#$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 22 -d $host_micron -j ACCEPT
}
#######################################################################
### DO NOT EDIT BELOW THIS LINE UNLESS YOU KNOW WHAT YOU ARE DOING! ###
#######################################################################
# Clean old firewall rules
$IPT6 -F
$IPT6 -X
# Clean old iptables v6 tables
for chain in mangle filter; do
$IPT6 -t $chain -F
$IPT6 -t $chain -X
done
# Set IPv6 default chains (drop everything)
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Allow already established transactions to pass without further checking
#$IPT6 -A INPUT -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A OUTPUT -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow everything on the local link
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# Allow the localnet to access the router
$IPT6 -A INPUT -i $IF -j ACCEPT
$IPT6 -A OUTPUT -o $IF -j ACCEPT
# Allow anything out on the internet
$IPT6 -A OUTPUT -o $SIXXS -j ACCEPT
# Filter all packets that have RH0 headers
#$IPT6 -A INPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A OUTPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A FORWARD -m rt --rt-type 0 -j DROP
# Allow ICMP from everywhere to router and hosts
# This still needs tweaking to disallow certain icmpv6 types (like ping)
# to reach hosts inside the subnet
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
$IPT6 -A OUTPUT -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -p icmpv6 -j ACCEPT
# Allow forwarding (outgoing)
$IPT6 -A FORWARD -m state --state NEW -i $IF -o $SIXXS -s $PREFIX -j ACCEPT
$IPT6 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Run custom rules defined above
custom_rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment