Skip to content

Instantly share code, notes, and snippets.

@LiJinyao

LiJinyao/gist:c0cf98b9138f465490ca161e31ae5147

Created November 19, 2018 13:39
Show Gist options
  • Save LiJinyao/c0cf98b9138f465490ca161e31ae5147 to your computer and use it in GitHub Desktop.
Save LiJinyao/c0cf98b9138f465490ca161e31ae5147 to your computer and use it in GitHub Desktop.
Download ZIP
Config IPv6 bridge on AC86U
Raw
gistfile1.txt
#!/bin/sh
# IPv6 bridge
ebtables -t broute -A BROUTING -i eth0 -p ! ipv6 -j DROP
brctl addif br0 eth0
# enable IPv6 on eth0
echo 0 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_dad
echo 2 > /proc/sys/net/ipv6/conf/eth0/dad_transmits
echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/eth0/forwarding
# see lan.c config_ipv6
echo 0 > /proc/sys/net/ipv6/conf/br0/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 2 > /proc/sys/net/ipv6/conf/br0/accept_dad
echo 2 > /proc/sys/net/ipv6/conf/br0/dad_transmits
# set_default_accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/default/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# Allow router get IPv6 Address
# When user disable IPv6, system will set ip6tables ALL policy to DROP
# wait after that, then set our firewall
sleep 10
# set up firewall
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -A OUTPUT -p tcp -j ACCEPT
ip6tables -A OUTPUT -p udp -j ACCEPT
# input rules
ip6tables -A INPUT -p ipv6-crypt -j ACCEPT
ip6tables -A INPUT -p ipv6-auth -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state NEW -j ACCEPT
ip6tables -A INPUT -m state --state INVALID -j DROP
# allow DHCPv6
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
ip6tables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
# allow ipv6-icmp related packet
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
ip6tables -A INPUT -j DROP
# Start DHCPv6 for LAN on br0
# In my enviroment, IPv6 address spwan from a DHCPv6 server
odhcp6c -df -R -s /tmp/dhcp6c -N try -c yordeviceID -r23 -r24 -r82 -r83 br0
# get the paramter of odhcp6c using `ps | grep odhcp6c`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment