ip6tables Script for TunnelBroker.net

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 11

PostPosted: Tue Jul 03, 2012 5:59    Post subject: ip6tables Script for TunnelBroker.net Reply with quote
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker

Code:

# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT

#Allow Specific Port on specific ipv6 address in network
#ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT


This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled. By default your computer wont have any open ports so that's why I made a line that will open a port to your specific ipv6 address and a line that will open a specific port to all your devices.

1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)

Yes its all finished and complete


Last edited by unknown26 on Tue Jul 03, 2012 17:28; edited 3 times in total
Sponsor
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 11

PostPosted: Tue Jul 03, 2012 6:06    Post subject: Reply with quote
There is more info here

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=689534

Startup script and ipv6 setup instructions (don't forget to remove quotes where your settings need to be entered)

http://www.dd-wrt.com/wiki/index.php/IPv6_setup_Hurricane_Electric_Tunnel_Broker

How I setup IP6Tables on my Linksys E2000

So I have to install IPv6 modules etc. My process below

1) GUI: Services/Services
enable SSHd

2) GUI: Administration/Management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting follow this guide http://www.dd-wrt.com/wiki/index.php/JFFS#Directions_for_.28normal.29_users:_using_Web-GUI_Interface

3) Download Putty and login the router and then created the directory to place the modules with the following command.
Code:
mkdir -p /jffs/lib/modules/2.6.24.111/

And Alternative method is just to run the command in GUI: Administration>Commands>"Paste code into box">Press "Run Commands" Done


4) Download & extract LazyTom's precompiled 2.6.24.111 ip6tables kernel modules for brcm47xx routers and get those .ko files into the /jffs/lib/modules/2.6.24.111/ directory. How it's done is up to individual tastes; I chose to download to my desktop, then extract and then do an SCP from the desktop with WinSCP:

Copied the module files "ip6_tables.ko, ip6table_filter, ip6t_rt.ko, nf_conntrack_ipv6.ko" to /jffs/lib/modules/2.6.24.111 directory via SCP Protocol.

Download from here http://www.dd-wrt.com/phpBB2/download.php?id=16285

You can also compile your own but its up to you http://blog.dest-unreach.be/2010/12/01/compiling-custom-dd-wrt-kernel-modules

6) Back on the router, I downloaded and installed the ip6tables program from the 8.02 open-wrt brcm47xx compiled packages



ip6tables_1.4.0-1_mipsel.ipk
kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk


I ran the following....
Code:
ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk

ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk


--Log below---
Code:
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking kmod-ip6tables...Done.
Configuring kmod-ip6tables.../jffs/usr/lib/ipkg/info/kmod-ip6tables.postinst: .: line 3: can't open /etc/functions.sh


root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/ip6tables_1.4.0-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking ip6tables...ipkg_install_file: ERROR unpacking data.tar.gz from /jffs/tmp/ipkg/ip6tables_1.4.0-1_mipsel.ipk
root@Linksys:~#


7) Added the following at the beginning of the start-up script
Code:
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_rt.ko


Cool Entered in ip6table commands in Administration>Commands>Command Shell Box then clicked save firewall


Last edited by unknown26 on Tue Jul 03, 2012 17:24; edited 1 time in total
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 11

PostPosted: Tue Jul 03, 2012 17:20    Post subject: Reply with quote
Please post replies if there is anything I should add to enhance ip6tables script etc
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Wed Jul 04, 2012 3:04    Post subject: Reply with quote
Thank you for the information you posted on setting up the ip6tables firewall. At one time (before the hdd crashed on the router), I had IPv6 setup on my network. Since I knew everything was open to the world, I have delayed in reimplementing it. With the above information at hand, I can feel safer in implementing the IPv6 protocol.

Thanks.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
jboehm
DD-WRT Novice


Joined: 06 Nov 2008
Posts: 4

PostPosted: Sat Jan 05, 2013 2:16    Post subject: Reply with quote
Beautiful tutorial. Thanks!!!

One probably obvious addition. If it's your first time doing a ipkg install you will need

mkdir -p /jffs/tmp/ipkg

My jffs mount is a usb thumb drive. It does not seem to be available when the startup script runs. Therefore I place my insmod commands at the top of the firewall script.

Thanks again
jboehm
DD-WRT Novice


Joined: 06 Nov 2008
Posts: 4

PostPosted: Sat Jan 05, 2013 2:20    Post subject: Reply with quote
One problem I ran into. If I run the firewall manually I get three statements like this.

----
ip6tables v1.3.7: Couldn't find match `rt'

Try `ip6tables -h' or 'ip6tables --help' for more information.
----

Thoughts?
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sat Jan 05, 2013 22:20    Post subject: Reply with quote
jboehm wrote:
One problem I ran into. If I run the firewall manually I get three statements like this.

----
ip6tables v1.3.7: Couldn't find match `rt'

Try `ip6tables -h' or 'ip6tables --help' for more information.
----

Thoughts?

Your likely issue is that you did not get the 'ip6t_rt.ko' module onto your router (or it did not get loaded).

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Sat Jan 05, 2013 22:23    Post subject: Reply with quote
crashfly wrote:
Your likely issue is that you did not get the 'ip6t_rt.ko' module onto your router (or it did not get loaded).

iptables 1.3.7 does not work with rt. Change to iptables 1.4.0 and then it will work.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


jboehm
DD-WRT Novice


Joined: 06 Nov 2008
Posts: 4

PostPosted: Sat Jan 05, 2013 22:31    Post subject: Reply with quote
hmm I'm missing something. I installed kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk and ip6tables_1.4.0-1_mipsel.ipk just as show below. I got the same output as the how-to

which ip6tables
/usr/sbin/ip6tables

I expected there to be a new entry in /jffs/usr/bin but there is no ip6tables there.


ip6tables still shows 1.3.7
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sat Jan 05, 2013 22:38    Post subject: Reply with quote
slobodan wrote:
iptables 1.3.7 does not work with rt. Change to iptables 1.4.0 and then it will work.

Then how does one fix that issue when ip6tables v1.3.7 is what I also have? The instructions lead everyone to download the wrong version.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Sat Jan 05, 2013 23:02    Post subject: Reply with quote
crashfly wrote:
slobodan wrote:
iptables 1.3.7 does not work with rt. Change to iptables 1.4.0 and then it will work.

Then how does one fix that issue when ip6tables v1.3.7 is what I also have? The instructions lead everyone to download the wrong version.

Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Jan 06, 2013 16:27    Post subject: Reply with quote
slobodan wrote:
Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt.

From what I can see, OTRW does not come with ip6tables. What package did you use to get v1.4.0 of ip6tables?

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Sun Jan 06, 2013 21:09    Post subject: Reply with quote
crashfly wrote:
slobodan wrote:
Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt.

From what I can see, OTRW does not come with ip6tables. What package did you use to get v1.4.0 of ip6tables?

ip6tables is part of iptables in OTRW.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Jan 06, 2013 21:57    Post subject: Reply with quote
slobodan wrote:
ip6tables is part of iptables in OTRW.

That is not my experience. OTRW does not have iptables nor ip6tables installed with it.

Whose version of OTRW are you using? Also, when was it installed? A bit more information than what you are giving would be helpful.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1243
Location: Zwolle

PostPosted: Tue Jan 08, 2013 0:36    Post subject: Reply with quote
crashfly wrote:
slobodan wrote:
ip6tables is part of iptables in OTRW.

That is not my experience. OTRW does not have iptables nor ip6tables installed with it.

Whose version of OTRW are you using? Also, when was it installed? A bit more information than what you are giving would be helpful.

Well, ipkg-opt update
ipkg-opt install iptables.

This is how I have installed iptables. It is from the ipkg.nlsu2-linux.org repository.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum