Posted: Tue Jul 03, 2012 5:59 Post subject: ip6tables Script for TunnelBroker.net
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker
Code:
# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT
#Allow Specific Port on specific ipv6 address in network
#ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT
This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled. By default your computer wont have any open ports so that's why I made a line that will open a port to your specific ipv6 address and a line that will open a specific port to all your devices.
1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)
Yes its all finished and complete
Last edited by unknown26 on Tue Jul 03, 2012 17:28; edited 3 times in total
3) Download Putty and login the router and then created the directory to place the modules with the following command.
Code:
mkdir -p /jffs/lib/modules/2.6.24.111/
And Alternative method is just to run the command in GUI: Administration>Commands>"Paste code into box">Press "Run Commands" Done
4) Download & extract LazyTom's precompiled 2.6.24.111 ip6tables kernel modules for brcm47xx routers and get those .ko files into the /jffs/lib/modules/2.6.24.111/ directory. How it's done is up to individual tastes; I chose to download to my desktop, then extract and then do an SCP from the desktop with WinSCP:
Copied the module files "ip6_tables.ko, ip6table_filter, ip6t_rt.ko, nf_conntrack_ipv6.ko" to /jffs/lib/modules/2.6.24.111 directory via SCP Protocol.
--Log below---
Code:
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking kmod-ip6tables...Done.
Configuring kmod-ip6tables.../jffs/usr/lib/ipkg/info/kmod-ip6tables.postinst: .: line 3: can't open /etc/functions.sh
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/ip6tables_1.4.0-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
You probably want to run `ipkg update'
Unpacking ip6tables...ipkg_install_file: ERROR unpacking data.tar.gz from /jffs/tmp/ipkg/ip6tables_1.4.0-1_mipsel.ipk
root@Linksys:~#
7) Added the following at the beginning of the start-up script
Code:
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_rt.ko
Entered in ip6table commands in Administration>Commands>Command Shell Box then clicked save firewall
Last edited by unknown26 on Tue Jul 03, 2012 17:24; edited 1 time in total
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Wed Jul 04, 2012 3:04 Post subject:
Thank you for the information you posted on setting up the ip6tables firewall. At one time (before the hdd crashed on the router), I had IPv6 setup on my network. Since I knew everything was open to the world, I have delayed in reimplementing it. With the above information at hand, I can feel safer in implementing the IPv6 protocol.
One probably obvious addition. If it's your first time doing a ipkg install you will need
mkdir -p /jffs/tmp/ipkg
My jffs mount is a usb thumb drive. It does not seem to be available when the startup script runs. Therefore I place my insmod commands at the top of the firewall script.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sat Jan 05, 2013 22:20 Post subject:
jboehm wrote:
One problem I ran into. If I run the firewall manually I get three statements like this.
----
ip6tables v1.3.7: Couldn't find match `rt'
Try `ip6tables -h' or 'ip6tables --help' for more information.
----
Thoughts?
Your likely issue is that you did not get the 'ip6t_rt.ko' module onto your router (or it did not get loaded). _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
hmm I'm missing something. I installed kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk and ip6tables_1.4.0-1_mipsel.ipk just as show below. I got the same output as the how-to
which ip6tables
/usr/sbin/ip6tables
I expected there to be a new entry in /jffs/usr/bin but there is no ip6tables there.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sat Jan 05, 2013 22:38 Post subject:
slobodan wrote:
iptables 1.3.7 does not work with rt. Change to iptables 1.4.0 and then it will work.
Then how does one fix that issue when ip6tables v1.3.7 is what I also have? The instructions lead everyone to download the wrong version. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
iptables 1.3.7 does not work with rt. Change to iptables 1.4.0 and then it will work.
Then how does one fix that issue when ip6tables v1.3.7 is what I also have? The instructions lead everyone to download the wrong version.
Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt. _________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sun Jan 06, 2013 16:27 Post subject:
slobodan wrote:
Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt.
From what I can see, OTRW does not come with ip6tables. What package did you use to get v1.4.0 of ip6tables? _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Well, this is my experience: 1.3.7 does not process the rt lines, this can be checked with ip6tables-save. I use iptables 1.4.0 from OTRW, not from openwrt.
From what I can see, OTRW does not come with ip6tables. What package did you use to get v1.4.0 of ip6tables?
ip6tables is part of iptables in OTRW. _________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sun Jan 06, 2013 21:57 Post subject:
slobodan wrote:
ip6tables is part of iptables in OTRW.
That is not my experience. OTRW does not have iptables nor ip6tables installed with it.
Whose version of OTRW are you using? Also, when was it installed? A bit more information than what you are giving would be helpful. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.