Skip to content

Instantly share code, notes, and snippets.

@enihsyou
Created April 4, 2022 07:04
Show Gist options
  • Save enihsyou/f6d1e83cd4b94994460d7653a4b74223 to your computer and use it in GitHub Desktop.
Save enihsyou/f6d1e83cd4b94994460d7653a4b74223 to your computer and use it in GitHub Desktop.
NetGear R8500 Merlin 380.70_0-X7.9.1 开启IPv6能力
#!/bin/sh
# file: /jffs/scripts/wan-start
/usr/bin/onwanstart.sh
sh /koolshare/scripts/ss_config.sh
/usr/bin/plugin.sh start
# uncomment to bypass IPv6 passthrough
# exit 0
# IPv6 bridge
ebtables -t broute -A BROUTING -i eth0 -p ! ipv6 -j DROP
brctl addif br0 eth0
# enable IPv6 on eth0
echo 0 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_dad
echo 2 > /proc/sys/net/ipv6/conf/eth0/dad_transmits
echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/eth0/forwarding
# see lan.c config_ipv6
echo 0 > /proc/sys/net/ipv6/conf/br0/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 2 > /proc/sys/net/ipv6/conf/br0/accept_dad
echo 2 > /proc/sys/net/ipv6/conf/br0/dad_transmits
# set_default_accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/default/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# Allow router get IPv6 Address
# When user disable IPv6, system will set ip6tables ALL policy to DROP
# wait after that, then set our firewall
sleep 10
# set up firewall
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -A OUTPUT -p tcp -j ACCEPT
ip6tables -A OUTPUT -p udp -j ACCEPT
# input rules
ip6tables -A INPUT -p ipv6-crypt -j ACCEPT
ip6tables -A INPUT -p ipv6-auth -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state NEW -j ACCEPT
ip6tables -A INPUT -m state --state INVALID -j DROP
# allow DHCPv6
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
ip6tables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
# allow ipv6-icmp related packet
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
ip6tables -A INPUT -j DROP
# Start DHCPv6 for LAN on br0
# In my enviroment, IPv6 address spwan from a DHCPv6 server
odhcp6c -df -R -s /tmp/dhcp6c -N try -c 00030001cc40d07385a8 -r23 -r24 -r82 -r83 br0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment