peterwillcn/ipv6startupfix

## ipv6startupfix
# This is an startup script example, how IPv6 should
# looks like, if not you will get some seriously
# problems.
# Some options may not work on your OS.

# ICMPv6 Stastics (optional)
# icmpv6_stats

# Optional may not work on all systems
ipset flush dns6
ipset destroy dns6
ipset -! create dns6 hash:ip family inet6
ipset add dns6 2001:4860:4860::8888
ipset add dns6 2001:4860:4860::8844
ipset add dns6 2620:0:ccc::2
ipset add dns6 2620:0:ccd::2

# Default should be DROP (always)
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Accept only stuff that is necassary
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here...
# replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2
# to allow DNS
#ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
#ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
ip6tables -I OUTPUT -o br-lan -p udp -m set --match-set dns6 dst --dport 53 -j ACCEPT
ip6tables -I INPUT -i br-lan -p udp -m set --match-set dns6 src --sport 53 -j ACCEPT
#ip6tables -I INPUT -i br-lan -m set --match-set dns src -j ACCEPT
#ip6tables -I OUTPUT -o br-lan -m set --match-set dns dst -j ACCEPT

# Allow DHCPv6 configuration
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A FORWARD -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT

# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth0.2 -j ACCEPT
#ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth0.2 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ip6tables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j DSCP --set-dscp-class ef
#ip6tables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j DSCP --set-dscp-class eftables DROP]:'
#ip6tables -A DROP_LOG -j REJECT --reject-with icmp6-port-unreachable

# And.. importantly..
# replace your:gateway:ip with your gateway (of wanted - but important for icmpv6)
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT    # Destination unreachable
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT    # Packet too big
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT    # Time exceeded
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT    # Parameter problem
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT

# You *will* need the above accepts regardless since your default policy
# is DROP, if not, you may find ipv6 reachable problems, in fact, you may
#  not even be able to connect outbound without types 135/136 (neighbour discovery)!

# Doing statistics on icmp6 (optional)
ip6tables -A OUTPUT -p 58 -j ICMP6_STATS
ip6tables -A FORWARD -p 58 -j ICMP6_STATS

# Stealth Scans etc. DROPen
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Drop packets with routing header type 0 and any remaining segments (more than 0)
# deprecating RFC: http://www.ietf.org/rfc/rfc5095.txt
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o eth0.2 -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow ICMP (such as SLAAC, etc)
#ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT

# Block facebook.com
#ip6tables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP
#ip6tables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP
#ip6tables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP
	# This is an startup script example, how IPv6 should
	# looks like, if not you will get some seriously
	# problems.
	# Some options may not work on your OS.

	# ICMPv6 Stastics (optional)
	# icmpv6_stats

	# Optional may not work on all systems
	ipset flush dns6
	ipset destroy dns6
	ipset -! create dns6 hash:ip family inet6
	ipset add dns6 2001:4860:4860::8888
	ipset add dns6 2001:4860:4860::8844
	ipset add dns6 2620:0:ccc::2
	ipset add dns6 2620:0:ccd::2

	# Default should be DROP (always)
	ip6tables -P INPUT DROP
	ip6tables -P OUTPUT ACCEPT
	ip6tables -P FORWARD DROP

	# Accept only stuff that is necassary
	ip6tables -A INPUT -i lo -j ACCEPT
	ip6tables -A INPUT -s fe80::/10 -j ACCEPT
	ip6tables -A INPUT -d ff00::/8 -j ACCEPT
	ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG
	ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	#... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here...
	# replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2
	# to allow DNS
	#ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
	#ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
	ip6tables -I OUTPUT -o br-lan -p udp -m set --match-set dns6 dst --dport 53 -j ACCEPT
	ip6tables -I INPUT -i br-lan -p udp -m set --match-set dns6 src --sport 53 -j ACCEPT
	#ip6tables -I INPUT -i br-lan -m set --match-set dns src -j ACCEPT
	#ip6tables -I OUTPUT -o br-lan -m set --match-set dns dst -j ACCEPT

	# Allow DHCPv6 configuration
	ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
	ip6tables -A FORWARD -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT

	# Allow forwarding
	#ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth0.2 -j ACCEPT
	#ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth0.2 -j ACCEPT
	ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	#ip6tables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j DSCP --set-dscp-class ef
	#ip6tables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j DSCP --set-dscp-class eftables DROP]:'
	#ip6tables -A DROP_LOG -j REJECT --reject-with icmp6-port-unreachable

	# And.. importantly..
	# replace your:gateway:ip with your gateway (of wanted - but important for icmpv6)
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT # Destination unreachable
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT # Packet too big
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT # Time exceeded
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT # Parameter problem
	ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT
	ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT

	# You will need the above accepts regardless since your default policy
	# is DROP, if not, you may find ipv6 reachable problems, in fact, you may
	# not even be able to connect outbound without types 135/136 (neighbour discovery)!

	# Doing statistics on icmp6 (optional)
	ip6tables -A OUTPUT -p 58 -j ICMP6_STATS
	ip6tables -A FORWARD -p 58 -j ICMP6_STATS

	# Stealth Scans etc. DROPen
	ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
	ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

	# Drop packets with routing header type 0 and any remaining segments (more than 0)
	# deprecating RFC: http://www.ietf.org/rfc/rfc5095.txt
	ip6tables -A INPUT -m rt --rt-type 0 -j DROP
	ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
	ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

	# Allow anything on the local link
	ip6tables -A INPUT -i lo -j ACCEPT
	ip6tables -A OUTPUT -o lo -j ACCEPT

	# Allow anything out on the internet
	ip6tables -A OUTPUT -o eth0.2 -j ACCEPT

	# Allow Link-Local addresses
	ip6tables -A INPUT -s fe80::/10 -j ACCEPT
	ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

	# Allow multicast
	ip6tables -A INPUT -s ff00::/8 -j ACCEPT
	ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

	# Allow ICMP (such as SLAAC, etc)
	#ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT

	# Block facebook.com
	#ip6tables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP
	#ip6tables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP
	#ip6tables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP