Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Tue Jan 08, 2013 19:57 Post subject:
slobodan wrote:
Well, ipkg-opt update
ipkg-opt install iptables.
This is how I have installed iptables. It is from the ipkg.nlsu2-linux.org repository.
Thank you for that information. I have installed the optware version of iptables. I might throw a message to basmaf and see if it might include the install for it in his version of OTRW. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Posted: Sun Jan 25, 2015 18:33 Post subject: Re: ip6tables Script for TunnelBroker.net
unknown26 wrote:
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker
Code:
# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
#ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
#ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
#ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT
#Allow Specific Port on specific ipv6 address in network
#ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT
This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled. By default your computer wont have any open ports so that's why I made a line that will open a port to your specific ipv6 address and a line that will open a specific port to all your devices.
1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)
Yes its all finished and complete
I see three times duplicate entries for both these interfaces:
- he-ipv6
- tun6to4
One is enough (it all depends on your interface name), right? So I've commented he-ipv6 out.
I've had issues with doing a DHCP renew, so thats why I've added accept dport 547 and 546 on br0. For the rest it looks great, thanks! TL-WDR4300 r25697 _________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sun Jan 25, 2015 20:36 Post subject:
Those rules seem a little wonky to me. There is no reason to filter OUTPUT chain. No reason to filter local br0 traffic. Definitely no reason to filter lo.
The ipv6 address space in use today is not limited to 2001::/16
for a simple ruleset, why not use the default webif iptables generated when you setup ipv6 and add forward echo requests and allow all traffic from br0 for INPUT
Those rules seem a little wonky to me. There is no reason to filter OUTPUT chain. No reason to filter local br0 traffic. Definitely no reason to filter lo.
The ipv6 address space in use today is not limited to 2001::/16
for a simple ruleset, why not use the default webif iptables generated when you setup ipv6 and add forward echo requests and allow all traffic from br0 for INPUT
Thanks, essentially you mean the ipv6 firewall script is provided by DD-WRT currently? I've checked ip6tables -L and it indeed lists some entries by default. icmpv6 is filtered however when I test it.. 17 out of 20 score on ipv6-test.com or was it test-ipv6.com..
The first rule should allow echo requests and fix your ipv6-test.com test.
The second rule would allow LAN -> router ipv6 connectivity. Ex allow ssh, etc from lan via ipv6
I would consider this as a proper minimum ipv6 firewall ruleset. (Others may have differing opinions). You can then expand your ruleset from here.
*** edit as an added benefit / hack, the basic ruleset has mss clamping which can be helpful with google / youtube due to a recurring PMTU issue which has affected some people since November.
The first rule should allow echo requests and fix your ipv6-test.com test.
The second rule would allow LAN -> router ipv6 connectivity. Ex allow ssh, etc from lan via ipv6
I would consider this as a proper minimum ipv6 firewall ruleset. (Others may have differing opinions). You can then expand your ruleset from here.
*** edit as an added benefit / hack, the basic ruleset has mss clamping which can be helpful with google / youtube due to a recurring PMTU issue which has affected some people since November.
Thanks! icmpv6 is required for proper ipv6, right? Gonna test this tonight.
Like you say, it should be the base ruleset (meantime this would fix it).
Regarding "ip6tables -I INPUT 4 -i br0 -j ACCEPT" the other way around (ipv6 to ipv4) is in the base ipv4 ruleset incorporated normally?
A last question, when I want to open an IPv6 port in the fw for a device (insert before the drop rule; it works sequentially? INPUT and/or FORWARD chain?), I should open it for the whole routed IPv6 subnet or is there a feature/technology (UPNP-like) to open the port for a specific IPv6 address (ip address could change and I preferably don't want to administer this manually..)?
PS/edit, what do you mean with your last sentence regarding "mss clamping" is this enabled by default (which line is it in my config)? HE uses 1480 by default for as far as I know.
Google: A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping. _________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Jan 27, 2015 16:11 Post subject:
gbonny wrote:
Regarding "ip6tables -I INPUT 4 -i br0 -j ACCEPT" the other way around (ipv6 to ipv4) is in the base ipv4 ruleset incorporated normally?
Not sure what your trying to say. The above says :
Ip6tables -I INPUT 4 (insert as rule 4 of the INPUT chain) -i br0 -j ACCEPT (ACCEPT all ipv6 traffic from the LAN & WLAN going to the router)
If your asking does the ipv4 ruleset allow all devices on LAN & WLAN to access the router then the answer is yes. If that's not your question then please rephrase it.
Quote:
A last question, when I want to open an IPv6 port in the fw for a device (insert before the drop rule; it works sequentially? INPUT and/or FORWARD chain?), I should open it for the whole routed IPv6 subnet or is there a feature/technology (UPNP-like) to open the port for a specific IPv6 address (ip address could change and I preferably don't want to administer this manually..)?
iptables rules are processed sequentially. If you want to open a port for a specific device other than the router itself then you would add it to the FORWARD chain. Ex
It would be bad practice to open a port for a full prefix. Always limit the rule to the specific device you want to access externally. For devices you want open an ipv6 port, either assign that device a fixed address using dhcpv6 (preferably dnsmasq but dhcp6s works perfectly well) or assign a static address directly on the device.
Personally I use a script that automates the process.
Quote:
PS/edit, what do you mean with your last sentence regarding "mss clamping" is this enabled by default (which line is it in my config)? HE uses 1480 by default for as far as I know.
Google: A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.
Yes it is enabled by default.
TCPMSS tcp anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Thank you very much, that was exactly my question regarding LAN+WLAN IPv4 to br0 (unnecessary/silly question..).
I share your opinion that its a bad idea to allow a port for a full prefix.
Gonna start with this in my FW Commands:
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs
# Accept lan to router ipv6 connectivity
ip6tables -I INPUT 4 -i br0 -j ACCEPT
Is there something more useful to add?
I wonder why this isn't default where you can optionally tick in the GUI ICMPv6 type 128 and 129 for the router (INPUT) or the prefix (FORWARD).
Gonna read the UPNP doc, thx! _________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Thank you very much, that was exactly my question regarding LAN+WLAN IPv4 to br0 (unnecessary/silly question..).
I share your opinion that its a bad idea to allow a port for a full prefix.
Gonna start with this in my FW Commands:
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs
# Accept lan to router ipv6 connectivity
ip6tables -I INPUT 4 -i br0 -j ACCEPT
Is there something more useful to add?
I wonder why this isn't default where you can optionally tick in the GUI ICMPv6 type 128 and 129 for the router (INPUT) or the prefix (FORWARD).
Gonna read the UPNP doc, thx!
I'm able to ping6 my internal network from the Internet, however the score still shows up as 17 out of 20. SSH my router on IPv6 works also, great! _________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Where xx is a line number before the DROP rule. -A would append the rule after the DROP rule. That being said your two rules
ip6tables -A INPUT 4 -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD 3 -p icmpv6 -j AllowICMPs
would also use insert -I and not append -A.
Personally for the input ruleset I would not add
ip6tables -I INPUT 4 -p icmpv6 -j AllowICMPs
As that has the potential to interfere with basic icmpv6 functionality needed by the router such as RS/RA,NS/NA, etc. Just leave the existing default INPUT rule as is.
For your rule
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
I would just use
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -j ACCEPT
echo request are used ALOT with ipv6 and rate limiting especially with limits that low will most likely have unexpected consequences.
Chain OUTPUT (policy ACCEPT 184 packets, 15896 bytes)
pkts bytes target prot opt in out source destination
Chain AllowICMPs (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 4
7 704 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 129
0 0 DROP 0 * * ::/0 ::/0
I've added "ip6tables -A AllowICMPs -j DROP" at the end.
The -I; figured that one out already
And indeed I left this one out: "ip6tables -A INPUT 4 -p icmpv6 -j AllowICMPs".
The 17 out of 20 is a browser/client thingy. Win[7,8.1] + latest Firefox gives 17 out of 20, Android 4.4 with std browser gives 19 out of 20, thanks for your assistance!
Config is now:
Quote:
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
#ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Drop the rest
ip6tables -A AllowICMPs -j DROP
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs
# Accept wlan lan to router ipv6 connectivity
ip6tables -I INPUT 4 -i br0 -j ACCEPT
_________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Jan 27, 2015 19:07 Post subject:
Without seeing the test result I would guess this is a ipv6 dns issue since windows does not use the radvd rDNS entry.
If you set dns entries in the ipv6 setup page all you need to do is click on enable dhcp6s and ipv6 dns will be pushed to your windows clients and they should get 19/20 as well.
Without seeing the test result I would guess this is a ipv6 dns issue since windows does not use the radvd rDNS entry.
If you set dns entries in the ipv6 setup page all you need to do is click on enable dhcp6s and ipv6 dns will be pushed to your windows clients and they should get 19/20 as well.
Can dhcp6s co-exist with RADVD? _________________ ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point