-
-
Save bryceml/b14811aa97f42cf44651 to your computer and use it in GitHub Desktop.
dd-wrt(svn revision: 26653 on tp-link wdr3600) 6rd with firewall startup script for centurylink (qwest) in utah at least
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| WANIP=$(ifconfig ppp0 |grep 'inet addr:'|cut -d: -f2|cut -d' ' -f1) | |
| if [ -n "$WANIP" ] | |
| then | |
| insmod /lib/modules/`uname -r`/ipv6.ko | |
| insmod /lib/modules/`uname -r`/tunnel4.ko | |
| insmod /lib/modules/`uname -r`/ip_tunnel.ko | |
| insmod /lib/modules/`uname -r`/sit.ko | |
| sleep 3 | |
| HOST6RD=205.171.2.64 | |
| V6PREFIX=$(printf ' 2602:%02x:%02x%02x:%02x00' $(echo $WANIP | tr . ' ')) | |
| ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP | |
| ip link set tun6rd mtu 1280 | |
| ip link set tun6rd up | |
| ip addr add $V6PREFIX:0::1/24 dev tun6rd | |
| ip addr add $V6PREFIX:1::1/64 dev br0 | |
| ip -6 route add 2000::/3 via ::$HOST6RD dev tun6rd | |
| kill -15 $(cat /var/run/radvd.pid) | |
| echo "interface br0 { \ | |
| MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1280; AdvSendAdvert on; \ | |
| prefix $V6PREFIX::/64 { AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; \ | |
| AdvPreferredLifetime 86400; }; };" \ | |
| > /tmp/radvd.conf | |
| radvd -C /tmp/radvd.conf start | |
| ###Firewall### | |
| insmod /lib/modules/`uname -r`/ip6_tables.ko | |
| insmod /lib/modules/`uname -r`/ip6table_filter.ko | |
| insmod /lib/modules/`uname -r`/nf_defrag_ipv6.ko | |
| insmod /lib/modules/`uname -r`/nf_conntrack_ipv6.ko | |
| # flush tables | |
| ip6tables -F INPUT | |
| ip6tables -F OUTPUT | |
| ip6tables -F FORWARD | |
| ip6tables -X | |
| # Default rule DROP for all chains | |
| ip6tables -P INPUT DROP | |
| ip6tables -P OUTPUT DROP | |
| ip6tables -P FORWARD DROP | |
| # Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones) | |
| #ip6tables -I INPUT -m rt --rt-type 0 -j DROP | |
| #ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP | |
| #ip6tables -I FORWARD -m rt --rt-type 0 -j DROP | |
| # Allow traffic on loopback interface | |
| ip6tables -A INPUT -i lo -j ACCEPT | |
| ip6tables -A OUTPUT -o lo -j ACCEPT | |
| # Allow Link-Local addresses | |
| ip6tables -A INPUT -s fe80::/10 -j ACCEPT | |
| ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT | |
| # Allow multicast | |
| ip6tables -A INPUT -d ff00::/8 -j ACCEPT | |
| ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT | |
| # Allow traffic from local host to the IPv6-tunnel | |
| #ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT | |
| #ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| #ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT | |
| #ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ip6tables -A OUTPUT -o tun6rd -s 2602::/24 -j ACCEPT | |
| ip6tables -A INPUT -i tun6rd -d 2602::/24 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Allow traffic from local network to local host | |
| ip6tables -A OUTPUT -o br0 -j ACCEPT | |
| ip6tables -A INPUT -i br0 -j ACCEPT | |
| # Allow traffic from local network to tunnel (IPv6 world) | |
| #ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT | |
| #ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| #ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ip6tables -A FORWARD -i br0 -s 2602::/24 -j ACCEPT | |
| ip6tables -A FORWARD -i tun6rd -d 2602::/24 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Allow ICMP | |
| ip6tables -A INPUT -p icmpv6 -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 -j ACCEPT | |
| ip6tables -A FORWARD -p icmpv6 -j ACCEPT | |
| ## Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere | |
| #ip6tables -N AllowICMPs | |
| ## Destination unreachable | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT | |
| ## Packet too big | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT | |
| ## Time exceeded | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT | |
| ## Parameter problem | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT | |
| ## Echo Request (protect against flood) | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT | |
| # Allow ICMP | |
| ## Echo Reply | |
| #ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT | |
| ## Link in tables INPUT and FORWARD (in Output we allow everything anyway) | |
| #ip6tables -A INPUT -p icmpv6 -j AllowICMPs | |
| #ip6tables -A FORWARD -p icmpv6 -j AllowICMPs | |
| #Allow Specific Port on all ipv6 devices in network | |
| #ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT | |
| #ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT | |
| #Allow Specific Port on specific ipv6 address in network | |
| #ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT | |
| # SSH in | |
| #ip6tables -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT | |
| # Bittorrent | |
| #ip6tables -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 33600:33604 -j ACCEPT | |
| echo 1 > /proc/sys/net/ipv6/conf/all/forwarding | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment