Hi everybody. I successfully configured an sixxs ipv6 tunnel using aiccu. I can browse pages in ipv6 and everything but i can't seem to find a way to close all my ports to the outer internet using ip6tables in dd-wrt.
Right now the rules I'm using are (from: SIXXS Wiki):
# Disable privileged ports for the outside, except ports 22, 515, and 631
# Specifying an interface (-i ethX) is probably a good idea to specify what is the outside
ip6tables --table filter -i sixxs --append INPUT -j DROP
# Disable processing of any RH0 packet
# Which could allow a ping-pong of packets
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
# Allow ICMP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
#ip6tables -A FORWARD -p icmpv6 -j ACCEPT
After applying it i can still browse but when i test for open ports (in Port Scan ), i can see all the ports open fron the machines in my local network, even 139...
I tried other rules but most of them use state for controlling the access, wich is not available in kernel 2.4.37 that i'm using.
Can somebody give me a clue on this?
Hi fgimenez, I'm using exactly your compiled modules. I can add rules to ip6tables like the ones above, but I can't seem to find a set of rules that work to drop incoming traffic. If i set ip6tables -P INPUT DROP, none of my ports are visible open to the internet, but I can't open anything in my network machines.
My problem is in the set of rules. Any clue on that?
Since there is no conntrack (statefull) for ipv6 on 2.4 kernels you need to work with the SYN packets for TCP.
For the ports you want to allow incomming connections you allow SYN (the TCP packet to initiate a connection) and block SYN for everything else.
You could also block all kind of traffic on other ports but that would prolly prevent your ability to browse the ipv6 web.
For UDP you just allow traffic on the ports you need and block everything else. This can create problems with stuff that works on UDP and uses ports other than those allowed but since there is no statefull filtering the other option would be to block selected udp ports and allow everything else and that's an approach I don't like very much.
This is what is working form me.
On the startup script I have this:
ip6tables -F
ip6tables -A INPUT -i he-ipv6 -p icmpv6 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -j DROP
ip6tables -A FORWARD -i he-ipv6 -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -m multiport --dports 7777,8888,9999 -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -j DROP
ip6tables -A FORWARD -p udp -i he-ipv6 -m multiport --dports 7777,8888,9999,domain,ntp -j ACCEPT
ip6tables -A FORWARD -p udp -i he-ipv6 -j DROP
Some day I'll prolly switch to a firmware with 2.6.x kernel and use statefull filtering, but I've read wrt54gl's wifi doesn't work very well with 2.6 kernels yet so I'm using this setup for now.
Anyway, I hope the scripts above help you get your ip6tables working.