Blocking Teredo and 6to4 traffic via iptables..

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
Masterman
DD-WRT Guru


Joined: 24 Aug 2009
Posts: 2070
Location: South Florida
PostPosted: Wed Dec 14, 2011 21:21    Post subject: Blocking Teredo and 6to4 traffic via iptables.. Reply with quote
I've noticed alot lately when reviewing Upnp forwards that Teredo consumes alot of nvram space and does not close the forward when a client computer on the LAN disconnects.

I did some reading and found some pretty interesting stuff, but not anything specifically related to DD-WRT's netfilter.

http://web-tech.ga-usa.com/2010/12/windows-7-ipv6-teredo-security-zero-day-hole/

http://www.youtube.com/watch?v=1ldPKIobPgs

http://www.cert.org/blogs/certcc/2009/04/bypassing_firewalls_with_ipv6.html


I currently have two options, and one is very impractical. Disable uPnP on the router or require all clients to disable the IPv6 stack in Windows Vista and Windows 7 PC's.

The other option (the one I'm asking about) is using iptables to block access to all clients on the LAN.

Currently, this is the best ruleset I could find searching the web:

Code:
iptables -I FORWARD 1 -i $wanf -p udp --dport 41 -j logdrop
iptables -I FORWARD 1 -i $wanf -p udp --dport 3544 -j logdrop



Does anyone else have experience with this?
Any help, suggestions, negative remarks are much welcomed Wink

-Masterman
_________________
Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
Back to top View user's profile Send private message
Sponsor
lepa71
DD-WRT User


Joined: 02 Feb 2012
Posts: 84
PostPosted: Mon Feb 27, 2012 0:29    Post subject: Reply with quote
Are those ports the same for everybody?
Back to top View user's profile Send private message
ydns
DD-WRT Novice


Joined: 16 Jun 2006
Posts: 2
PostPosted: Sat Mar 24, 2012 20:21    Post subject: Reply with quote
Quote:

iptables -I FORWARD 1 -i $wanf -p udp --dport 41 -j logdrop


Sorry, not correct. Its protocol 41, not port 41.

I don't know my iptables, but with your line it should be more like:

iptables -I FORWARD 1 -i $wanf -p 41 -j logdrop
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum