IPV6: V24-SP2 Eko Newd, Need Kernel 2.4.37 IPV6 Modules

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
surdules
DD-WRT Novice


Joined: 27 Feb 2008
Posts: 6

PostPosted: Mon Aug 23, 2010 17:35    Post subject: Reply with quote
Hmm, looking more closely, it seems that OpenWRT Backfire is based on Linux kernel 2.6, not 2.4

What's puzzling is that the filename for the ipv6 kmod from Backfire seems to be targeted at 2.4, even though its kernel is 2.6:

kmod-ip6tables_2.4.37.9-1_brcm-2.4.ipk

I'll probably try both packages (the ones from this thread and the ones from Backfire) and see what happens.
Sponsor
surdules
DD-WRT Novice


Joined: 27 Feb 2008
Posts: 6

PostPosted: Wed Aug 25, 2010 6:34    Post subject: Reply with quote
Running into problems with ipkg install -- anyone seen this error before?

root@sinclair:/jffs# ipkg install ip6tables-utils_1.3.8-4.1_mipsel.ipk
ipkg_install_file: ERROR unpacking control.tar.gz from ip6tables-utils_1.3.8-4.1_mipsel.ipk

I should have enough space left on the /jffs mount to install this package:

root@sinclair:/jffs# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 2176 2176 0 100% /
/dev/mtdblock/4 640 504 136 79% /jffs

My router is a WRT54GL 1.1 with 4MB. I'm running dd-wrt.v24-14853_NEWD_std-nokaid_nohotspot_nostor.bin
be.cool
DD-WRT Novice


Joined: 18 Sep 2007
Posts: 27

PostPosted: Mon Mar 07, 2011 4:32    Post subject: Reply with quote
Hi everybody. I successfully configured an sixxs ipv6 tunnel using aiccu. I can browse pages in ipv6 and everything but i can't seem to find a way to close all my ports to the outer internet using ip6tables in dd-wrt.
Right now the rules I'm using are (from: SIXXS Wiki):

Code:
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -F

# Disable privileged ports for the outside, except ports 22, 515, and 631
# Specifying an interface (-i ethX) is probably a good idea to specify what is the outside
ip6tables --table filter -i sixxs --append INPUT  -j DROP

# Disable processing of any RH0 packet
# Which could allow a ping-pong of packets
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow ICMP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
#ip6tables -A FORWARD -p icmpv6 -j ACCEPT


After applying it i can still browse but when i test for open ports (in Port Scan ), i can see all the ports open fron the machines in my local network, even 139...
I tried other rules but most of them use state for controlling the access, wich is not available in kernel 2.4.37 that i'm using.
Can somebody give me a clue on this?

Thanks in advance.
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Mon Mar 07, 2011 16:17    Post subject: Reply with quote
I got the same problem some time ago.
None of the ip6tables modules from openwrt worked with my dd-wrt's kernel.

I ended up compiling my own set of modules specifically for my kernel version and now everything works as expected.

See my modules on this post: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=460913#460913

I compiled them for kernel 2.4.37 which is the one found in DD-WRT v24-sp2 (06/09/10) std-nokaid-nohot-nostore (SVN revision 14583M NEWD Eko)
be.cool
DD-WRT Novice


Joined: 18 Sep 2007
Posts: 27

PostPosted: Mon Mar 07, 2011 16:55    Post subject: Reply with quote
Hi fgimenez, I'm using exactly your compiled modules. I can add rules to ip6tables like the ones above, but I can't seem to find a set of rules that work to drop incoming traffic. If i set ip6tables -P INPUT DROP, none of my ports are visible open to the internet, but I can't open anything in my network machines.

My problem is in the set of rules. Any clue on that?
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Mon Mar 07, 2011 17:56    Post subject: Reply with quote
Since there is no conntrack (statefull) for ipv6 on 2.4 kernels you need to work with the SYN packets for TCP.

For the ports you want to allow incomming connections you allow SYN (the TCP packet to initiate a connection) and block SYN for everything else.
You could also block all kind of traffic on other ports but that would prolly prevent your ability to browse the ipv6 web.

For UDP you just allow traffic on the ports you need and block everything else. This can create problems with stuff that works on UDP and uses ports other than those allowed but since there is no statefull filtering the other option would be to block selected udp ports and allow everything else and that's an approach I don't like very much.

This is what is working form me.
On the startup script I have this:

Code:
insmod ipv6
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables

for i in `ls -1 /jffs/lib/modules/2.4.37`
do
insmod /jffs/lib/modules/2.4.37/$i
done

#here goes the ipv6 tunnel initialization thing.
#removed to keep this forum post cleaner.

/jffs/ipv6_firewall.sh
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
sleep 3
radvd -C /jffs/radvd.conf

echo "export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables" > /tmp/root/.profile


and on the firewall script I have this:
Code:
ip6tables -F
ip6tables -A INPUT -i he-ipv6 -p icmpv6 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -j DROP
ip6tables -A FORWARD -i he-ipv6 -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -m multiport --dports 7777,8888,9999 -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -j DROP
ip6tables -A FORWARD -p udp -i he-ipv6 -m multiport --dports 7777,8888,9999,domain,ntp -j ACCEPT
ip6tables -A FORWARD -p udp -i he-ipv6 -j DROP


Some day I'll prolly switch to a firmware with 2.6.x kernel and use statefull filtering, but I've read wrt54gl's wifi doesn't work very well with 2.6 kernels yet so I'm using this setup for now.

Anyway, I hope the scripts above help you get your ip6tables working.

Regards.
be.cool
DD-WRT Novice


Joined: 18 Sep 2007
Posts: 27

PostPosted: Mon Mar 07, 2011 20:27    Post subject: Reply with quote
A million thanks fgimenez. It worked beautifully!

I just replaced -i he-ipv6 with -i sixxs (my IPv6 tunnel from sixx) and it worked. None of my ports apear open now. Really thanks.

Regarding the ports I want to keep opened, could you give and example (say for port 22) of a rule allowing that?

Cheers.
fgimenez
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 24

PostPosted: Tue Mar 08, 2011 5:32    Post subject: Reply with quote
This will open ports 7777, 8888 and 9999 if it's added before any drop rule.

ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -m multiport --dports 7777,8888,9999 -j ACCEPT
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum