[vprasad1@hotmail.com]

Still learning about ipv6 and was thinking going live would be a great way to get some hands on... until I heard that unlike with ipv4's NAT, setting up ipv6 on a home router is basically opening a direct connection to the ipv6 world with nothing in the way of protection-- so I disabled it for now.

I managed to setup ipv6 using 6RD tunneling as described on http://www.dd-wrt.com/wiki/index.php/IPv6#6rd -- the only thing I had to adjust was my WAN vlan to reflect my particular router's WAN vlan. As far as I could tell, it worked pretty well-- I was able to get to ipv6 sites just fine (til I disabled it due to the previously mentioned concerns), dancing Kame, etc.

I'm running one of the dd-wrt.v24-14896_NEWD-2_K2.6 builds. The directions provided here: http://www.dd-wrt.com/wiki/index.php/IPv6_on_v24 seem to provide links for ip6tables builds for Kernel versions 2.4.3x. In the dd-wrt router database, I don't see any dd-wrt Kernel 2.4 builds avail for my model.

So my questions:
What can I do to either my dd-wrt router or to my individual ipv6 hosts (varying operating systems: Ubuntu 10, Fedora 14, Mac OSX, Windows 7, Windows XP) to protect my network's hosts? Any dd-wrt builds with ipv6 firewalling (ip6tables) and SPI preinstalled? There's plenty of space on the RT-N16

[vprasad1@hotmail.com]

Plan of attack:


GUI: services/services
enable SSHd

GUI: administration/management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting

Verify Kernel:
SSH to the router and perform
uname -a
I'm using kernel 2.6.24.111 it already includes the ipv6 and sit modules in /lib/modules/2.6.24.111/kernel/net/ipv6/ so no action needed there for me

Figure out appropriate modules:
-I've seen many different posts from people indicating that 2.6.24.111 DD-WRT kernel should be ok to use 2.6.25 OpenWRT modules.

-My hardware uses the brcm47xx, so I'm be using modules provided here; other folks may need to browse down from "8.09.2" for their appropriate hardware:
http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/

Force the installation of the ip6tables kernel module and the ip6tables application (it'll grumble about kernel dependency):
-SSH
ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk
ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/ip6tables_1.4.0-1_mipsel.ipk

Verify the modules are installed:
ls /jffs/lib/modules/2.6.25.20/
ls /jffs/usr/lib/iptables/

-GUI: administration/commands/startup
insmod /jffs/lib/modules/2.6.25.20/ip6_tables.ko
insmod /jffs/lib/modules/2.6.25.20/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.25.20/ip6t_multiport.ko
insmod /jffs/lib/modules/2.6.25.20/nf_conntrack_ipv6.ko
insmod /jffs/lib/modules/2.6.25.20/ip6t_rt.ko

Also in the administration/commands/startup, add and modify whatever tunneling config info is relevant from http://www.dd-wrt.com/wiki/index.php/IPv6

And lastly in the administration/commands/startup, add and modify whatever firewall rules are relevant from LV426 Sep23 post and Sep24 correction here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=485980

If I've got the overview right, then it's a matter of getting past my sticking point with being unable to find ip6_rt.ko, as it is missing from /jffs/lib/modules/2.6.25.20/; there is a libip6t_rt.so in /jffs/usr/lib/iptables/

Do I have to compile the kernel modules like Lazytom did in http://www.dd-wrt.com/phpBB2/viewtopic.php?p=485980 using the Development Wiki http://www.dd-wrt.com/wiki/index.php/Development ?

Or can I try the backfire compiled packages (http://downloads.openwrt.org/backfire/10.03/brcm47xx/packages/) which do indeed have the ip6_rt.ko module?

[vprasad1@hotmail.com]

Okay, what I ended up doing:

1) GUI: Services/Services
enable SSHd

2) GUI: Administration/Management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting

3) ssh to router then created the directory to place the modules

[vprasad1@hotmail.com]

Added an

[disstopic]

Running wrt610nv2, brainslayer mega build 15747, kernel 2.6.24.111

Do you know if ip6tables can be installed on /mnt or /opt, instead of JFFS? I have a USB stick attached for optware, but have not enabled JFFS.

I've been following a mangled version of your instructions. I got as far as step 6, however the ipkg would not install the ip6tables package stating read only file system. So I extracted the files from the ipk and scp'ed them into the appropriate directories under /opt.

I also copied LazyTom's kernel modules to a directory on /mnt, and made the appropriate changes to the script.

What I've found is that upon reboot, the kernel modules don't seem to load. However if I manually run those insmod commands from the command line, they all work and load with the exception of ip6t_multiport.ko, which isn't a part of LazyTom's package, and I don't know where to get it from.

Continuting on, ip6tables runs, ip6tables -L shows an empty rule table, and it blocks all access to ipv6 sites. But running the script to set up the firewall (again slightly modified as I'm using 6to4) I'm getting:

ip6tables v1.3.7: Couldn't load match `rt':File not found

or similar for most commands in the script.

Any help or ideas would be greatly appreciated.

[vprasad1@hotmail.com]

not sure about the /mnt or /opt installation

have you verified with an lsmod that your modules are indeed loaded by the kernel?

also, have you adjusted the following firewall lines to reflect the correct directories of your installation?

[disstopic]

Thanks for your advice. I have come a long way since my previous post.

Indeed, for this to work, my USB key had to be mounted on /jffs. Optware can be installed as well, under /jffs/opt, and it works fine.

My guess is the way or order things are mounted when using the Optware The Right Way approach. Perhaps /mnt and /opt are not mounted prior to the startup commands being executed.

Having the USB key mounted on /jffs allowed step 6, the installation of the ip6tables package to work perfectly, and resolved all of the missing dependancies and rt errors.

I am not sure either why the export of the IP6_TABLES_LIB_DIR is not sticking for subsequent SSH sessions, although it certainly sticks during the execution of the firewall commands. I found that if I simply executed the export as the first command in an SSH session, ip6tables -L would give the correct output.

IPv6 all working now. As I'm using 6to4, the scripts are as follows:

Startup Command:

[matt3D]

Hello vprasadl, I am stuck at step 6 and I also have a rt-n16. I am having issues installing iptables. Everything else is fine, I believe. I attached a screen shot of my putty window. Thanks for your help and all of your great information, I have comcast and I would like to try ipv6 with iptables.

[fnord42]

matt3D: I'm in a similar position currently with the same hardware. What I can tell you so far is this:
a) The old kmod package from OpenWRT won't work because of the magic version encoded in the modules. You need to build them yourself or pick a tarball from another thread.
http://www.dd-wrt.com/phpBB2/download.php?id=16285


b) Running into the "ip6tables v1.4.0: Couldn't load target `standard':File not found" is where I'm currently at. After installing strace I'm sure it's because of a missing "libip6t_standard.so". I still try to find out in which openwrt package this one is included. If someone has a hint that would be great.
edit: Too easy - it's in the iptables package, bah my fault. Now just some proto matching support is missing ...

[matt3D]

[fnord42]

Hi,
lets see if I can explain it step by step for non unix people. Though I'm not convinced that people should run slightly hackish systems on the internet without understanding what they do. Especialy the IPv6 internet is still very calm and easy going. Would be a pitty if it would change soon. Though in the name of IPv6 adoption - let's go and try it ...

On your usual workstation:
a) Download the file from the link posted above. You should end up with ipv6_2.6.24.111_mipsel_kernel_modules.tgz

b) Unpack it. You should end up with a bunch of .ko files. Those are the kernel modules you need.


On your router/DD-WRT box:
c) Create a semi standard directory for your kernel modules:
mkdir -p /jffs/lib/modules/2.6.24.111

On your workstation:
d) scp the files over to the created directory, if you use windows I guess you will use filezilla or something like that.

Back on your router:
e) Now you should be able to load the kernel modules with the insmod command. E.g.
cd /jffs/lib/modules/2.6.24.111
insmod ip6_tables.ko
insmod ip6table_filter.ko
insmod nf_conntrack_ipv6.ko

f) Now run lsmod to see if they're listed in the output. If not something is wrong. Though hard to tell what as long as you don't get an error message. ;)

That's the kernel space. Now for the user space.
At least the currently recommend build 149xx is very close to OpenWRTs kamikaze release so that's what I'm currently using for userspace packages.

You can find the packages here:
http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/

To the best of my current knowledge you've to install the following:
ip6tables
iptables-mod-conntrack
iptables-mod-filter
iptables

a) Download all the corresponding .ipkg packages to your router. If you've enough space (on a RT-N16 you've a lot) directly wget them to e.g. /jffs/tmp.

b) Install them (from the directory where you downloaded them) with ipkg -d root install *.ipkg. That will take a while.

c) ip6tables -vxL should now give you the empty default tables INPUT FORWARD and OUTPUT.

Now face it userspace layout on OpenWRT is a bit different so we've to use some enviroment variables to get it fixed.

d) export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
Now ip6tables should be able to locate the needed shared objects and you should be able to use it just like normal on a full system. Note that this setting is of course not persistent. I, and a lot of other people, make it persistent from the ipv6.startup script with something like

echo "export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables" >> /tmp/root/.profile

at the top of it.

Now read a few other threads on the topic and about the startup files in the wiki.

Hope that helps you to get started.


And for the sake of completness, here's the first half of my /jffs/etc/config/ipv6.startup:

[matt3D]

Hi fnord42. I was able to get iptables running, but I am still not able to view or ping any ipv6 sites, I think it might be something to do with radvd. Should there be something in the radvd config under administration/management/IPv6 Support/radvd config?
startup script:
#!/bin/sh
#very ugly and short hack for IPv6 startup

# Bring up the internal interface
ip -6 addr add 2001:DB8::/64 dev br0
ip -6 route add 2001:DB8::/64 dev br0

export PATH=$PATH:/jffs/usr/sbin
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables

# set bash profile of user root
echo "export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables" >> /tmp/root/.profile

# load required kernel modules
MODPATH='/jffs/lib/modules/2.6.24.111'
KMODS='ip6_tables.ko ip6table_filter.ko nf_conntrack_ipv6.ko'
for x in $KMODS; do
insmod $MODPATH/$x
done
sleep 5
HOST6RD=$(nslookup 6rd.comcast.net |grep "Address"|awk '{ print $3 }'|grep -v 192.168.1.1 -m1)
WANIP=$(ip -4 addr show dev vlan2 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1)
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf ' 2001:55c:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP
ip link set tun6rd mtu 1280
ip link set tun6rd up
ip addr add $V6PREFIX:0::1/32 dev tun6rd
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::$HOST6RD dev tun6rd
kill -HUP $(cat /var/run/radvd.pid)
fi
echo "interface br0 { \
MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1280; AdvSendAdvert on; \
prefix $V6PREFIX::/64 { AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; \
AdvPreferredLifetime 86400; }; };" \
> /tmp/radvd.conf
radvd -C /tmp/radvd.conf start

Firewall:
# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# set default policy
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

Thanks for all your help!

[fnord42]

[docbill]

The following is what I ended up using for my firewall. I have no idea what icmpv6-type 133, 134, 135, and 136 are for, but they seem essential to bring up a webpage like http://ipv6.google.com

#set path variables
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
PATH="$PATH":/jffs/usr/sbin

# Flush
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F DROP

# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N ipv6cfg
# Destination unreachable
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Others
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j ipv6cfg
ip6tables -A FORWARD -p icmpv6 -j ipv6cfg

[fnord42]