Created
November 19, 2018 13:39
-
-
Save LiJinyao/c0cf98b9138f465490ca161e31ae5147 to your computer and use it in GitHub Desktop.
Config IPv6 bridge on AC86U
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# IPv6 bridge | |
ebtables -t broute -A BROUTING -i eth0 -p ! ipv6 -j DROP | |
brctl addif br0 eth0 | |
# enable IPv6 on eth0 | |
echo 0 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6 | |
echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_dad | |
echo 2 > /proc/sys/net/ipv6/conf/eth0/dad_transmits | |
echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra | |
echo 0 > /proc/sys/net/ipv6/conf/eth0/forwarding | |
# see lan.c config_ipv6 | |
echo 0 > /proc/sys/net/ipv6/conf/br0/disable_ipv6 | |
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6 | |
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6 | |
echo 2 > /proc/sys/net/ipv6/conf/br0/accept_dad | |
echo 2 > /proc/sys/net/ipv6/conf/br0/dad_transmits | |
# set_default_accept_ra | |
echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra | |
echo 1 > /proc/sys/net/ipv6/conf/default/accept_ra | |
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding | |
# Allow router get IPv6 Address | |
# When user disable IPv6, system will set ip6tables ALL policy to DROP | |
# wait after that, then set our firewall | |
sleep 10 | |
# set up firewall | |
ip6tables -P INPUT ACCEPT | |
ip6tables -P OUTPUT ACCEPT | |
ip6tables -A OUTPUT -p tcp -j ACCEPT | |
ip6tables -A OUTPUT -p udp -j ACCEPT | |
# input rules | |
ip6tables -A INPUT -p ipv6-crypt -j ACCEPT | |
ip6tables -A INPUT -p ipv6-auth -j ACCEPT | |
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A INPUT -m state --state NEW -j ACCEPT | |
ip6tables -A INPUT -m state --state INVALID -j DROP | |
# allow DHCPv6 | |
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT | |
ip6tables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT | |
ip6tables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT | |
# allow ipv6-icmp related packet | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT | |
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT | |
ip6tables -A INPUT -j DROP | |
# Start DHCPv6 for LAN on br0 | |
# In my enviroment, IPv6 address spwan from a DHCPv6 server | |
odhcp6c -df -R -s /tmp/dhcp6c -N try -c yordeviceID -r23 -r24 -r82 -r83 br0 | |
# get the paramter of odhcp6c using `ps | grep odhcp6c` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment