Posted: Sun Nov 14, 2010 7:02 Post subject: Securing a DD-WRT v24-14896 NEWD-2 k2.6 IPv6 Asus RT-N16 Net
Still learning about ipv6 and was thinking going live would be a great way to get some hands on... until I heard that unlike with ipv4's NAT, setting up ipv6 on a home router is basically opening a direct connection to the ipv6 world with nothing in the way of protection-- so I disabled it for now.
I managed to setup ipv6 using 6RD tunneling as described on http://www.dd-wrt.com/wiki/index.php/IPv6#6rd -- the only thing I had to adjust was my WAN vlan to reflect my particular router's WAN vlan. As far as I could tell, it worked pretty well-- I was able to get to ipv6 sites just fine (til I disabled it due to the previously mentioned concerns), dancing Kame, etc.
I'm running one of the dd-wrt.v24-14896_NEWD-2_K2.6 builds. The directions provided here: http://www.dd-wrt.com/wiki/index.php/IPv6_on_v24 seem to provide links for ip6tables builds for Kernel versions 2.4.3x. In the dd-wrt router database, I don't see any dd-wrt Kernel 2.4 builds avail for my model.
So my questions:
What can I do to either my dd-wrt router or to my individual ipv6 hosts (varying operating systems: Ubuntu 10, Fedora 14, Mac OSX, Windows 7, Windows XP) to protect my network's hosts? Any dd-wrt builds with ipv6 firewalling (ip6tables) and SPI preinstalled? There's plenty of space on the RT-N16
GUI: administration/management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting
Verify Kernel:
SSH to the router and perform
uname -a
I'm using kernel 2.6.24.111 it already includes the ipv6 and sit modules in /lib/modules/2.6.24.111/kernel/net/ipv6/ so no action needed there for me
Figure out appropriate modules:
-I've seen many different posts from people indicating that 2.6.24.111 DD-WRT kernel should be ok to use 2.6.25 OpenWRT modules.
If I've got the overview right, then it's a matter of getting past my sticking point with being unable to find ip6_rt.ko, as it is missing from /jffs/lib/modules/2.6.25.20/; there is a libip6t_rt.so in /jffs/usr/lib/iptables/
Or can I try the backfire compiled packages (http://downloads.openwrt.org/backfire/10.03/brcm47xx/packages/) which do indeed have the ip6_rt.ko module?
5) I grabbed the relevant startup script for me from the ipv6 tutorial page-- I'm on Comcast, using 6rd and added the insertion of the nf_conntrack_ipv6 and ip6t_rt modules-- and then entered it into my GUI's Administration / Commands / Startup
Code:
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_multiport.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_rt.ko
sleep 5
HOST6RD=$(nslookup 6rd.comcast.net |grep "Address"|awk '{ print $3 }'|grep -v 192.168.1.1 -m1)
WANIP=$(ip -4 addr show dev vlan2 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1)
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf ' 2001:55c:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP
ip link set tun6rd mtu 1280
ip link set tun6rd up
ip addr add $V6PREFIX:0::1/32 dev tun6rd
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::$HOST6RD dev tun6rd
kill -HUP $(cat /var/run/radvd.pid)
fi
echo "interface br0 { \
MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1280; AdvSendAdvert on; \
prefix $V6PREFIX::/64 { AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; \
AdvPreferredLifetime 86400; }; };" \
> /tmp/radvd.conf
radvd -C /tmp/radvd.conf start
6) I entered lv426's rules and the followup edit into my GUI's Administration / Commands / Firewall, making the following modifications
a) to the prefix to reflect Comcast's use of 2001:: instead of 2002::
b) to the tunnel name to reflect Comcast's tun6rd instead of the tun6to4
c) to the beginning to set the ip6tables path
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
My only issue now is when I login and do an ip6tables -L, I see the following:
Code:
root@myrouter:~# ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all anywhere anywhere UNKNOWN match `rt' [8 bytes of unknown target data]
DROP all anywhere anywhere UNKNOWN match `rt' [8 bytes of unknown target data]
DROP all anywhere anywhere UNKNOWN match `rt' [8 bytes of unknown target data]
DROP all anywhere anywhere UNKNOWN match `rt' [8 bytes of unknown target data]
ACCEPT all anywhere anywhere [8 bytes of unknown target data]
ACCEPT all anywhere anywhere [8 bytes of unknown target data]
ACCEPT all anywhere anywhere [8 bytes of unknown target data]
ACCEPT all anywhere 2001::/16 UNKNOWN match `state' [8 bytes of unknown target data]
ACCEPT all anywhere anywhere [8 bytes of unknown target data]
ip6tables v1.3.7: Couldn't load target `standard':File not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
Which is odd given that I've already specified the path at the beginning of the firewalls settings. So, I go ahead and re-enter the IP6TABLES_LIB_DIR variable and now I can see how the rules are being applied:
Code:
root@myrouter:~# export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
root@myrouter:~# ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
AllowICMPs ipv6-icmp anywhere anywhere
AllowICMPs ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
AllowICMPs ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
AllowICMPs ipv6-icmp anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
AllowICMPs ipv6-icmp anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
AllowICMPs ipv6-icmp anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere 2001::/16 state RELATED,ESTABLISHED
AllowICMPs ipv6-icmp anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all 2001::/16 anywhere
ACCEPT all anywhere anywhere
Running wrt610nv2, brainslayer mega build 15747, kernel 2.6.24.111
Do you know if ip6tables can be installed on /mnt or /opt, instead of JFFS? I have a USB stick attached for optware, but have not enabled JFFS.
I've been following a mangled version of your instructions. I got as far as step 6, however the ipkg would not install the ip6tables package stating read only file system. So I extracted the files from the ipk and scp'ed them into the appropriate directories under /opt.
I also copied LazyTom's kernel modules to a directory on /mnt, and made the appropriate changes to the script.
What I've found is that upon reboot, the kernel modules don't seem to load. However if I manually run those insmod commands from the command line, they all work and load with the exception of ip6t_multiport.ko, which isn't a part of LazyTom's package, and I don't know where to get it from.
Continuting on, ip6tables runs, ip6tables -L shows an empty rule table, and it blocks all access to ipv6 sites. But running the script to set up the firewall (again slightly modified as I'm using 6to4) I'm getting:
ip6tables v1.3.7: Couldn't load match `rt':File not found
Thanks for your advice. I have come a long way since my previous post.
Indeed, for this to work, my USB key had to be mounted on /jffs. Optware can be installed as well, under /jffs/opt, and it works fine.
My guess is the way or order things are mounted when using the Optware The Right Way approach. Perhaps /mnt and /opt are not mounted prior to the startup commands being executed.
Having the USB key mounted on /jffs allowed step 6, the installation of the ip6tables package to work perfectly, and resolved all of the missing dependancies and rt errors.
I am not sure either why the export of the IP6_TABLES_LIB_DIR is not sticking for subsequent SSH sessions, although it certainly sticks during the execution of the firewall commands. I found that if I simply executed the export as the first command in an SSH session, ip6tables -L would give the correct output.
IPv6 all working now. As I'm using 6to4, the scripts are as follows:
Startup Command:
Code:
insmod /lib/modules/`uname -r`/kernel/net/ipv6/ipv6.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv6/sit.ko
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_multiport.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko
insmod /jffs/lib/modules/2.6.24.111/ip6t_rt.ko
sleep 5
radvd -C /tmp/radvd.conf start
sleep 5
WANIP=$(ip -4 addr show dev vlan2 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1)
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP
ip link set tun6to4 mtu 1480
ip link set tun6to4 up
ip addr add $V6PREFIX:0::1/16 dev tun6to4
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
kill -HUP $(cat /var/run/radvd.pid)
fi
sleep 10
radvd -C /tmp/radvd.conf start
Hello vprasadl, I am stuck at step 6 and I also have a rt-n16. I am having issues installing iptables. Everything else is fine, I believe. I attached a screen shot of my putty window. Thanks for your help and all of your great information, I have comcast and I would like to try ipv6 with iptables.
matt3D: I'm in a similar position currently with the same hardware. What I can tell you so far is this:
a) The old kmod package from OpenWRT won't work because of the magic version encoded in the modules. You need to build them yourself or pick a tarball from another thread.
http://www.dd-wrt.com/phpBB2/download.php?id=16285
b) Running into the "ip6tables v1.4.0: Couldn't load target `standard':File not found" is where I'm currently at. After installing strace I'm sure it's because of a missing "libip6t_standard.so". I still try to find out in which openwrt package this one is included. If someone has a hint that would be great.
edit: Too easy - it's in the iptables package, bah my fault. Now just some proto matching support is missing ...
matt3D: I'm in a similar position currently with the same hardware. What I can tell you so far is this:
a) The old kmod package from OpenWRT won't work because of the magic version encoded in the modules. You need to build them yourself or pick a tarball from another thread.
http://www.dd-wrt.com/phpBB2/download.php?id=16285
b) Running into the "ip6tables v1.4.0: Couldn't load target `standard':File not found" is where I'm currently at. After installing strace I'm sure it's because of a missing "libip6t_standard.so". I still try to find out in which openwrt package this one is included. If someone has a hint that would be great.
edit: Too easy - it's in the iptables package, bah my fault. Now just some proto matching support is missing ...
Hi Fnord42,
Thanks for your help, but could you explain to me how to build the package? I do not have a lot of experience with the linux operating system.
Have a great day.
-Matt
Hi,
lets see if I can explain it step by step for non unix people. Though I'm not convinced that people should run slightly hackish systems on the internet without understanding what they do. Especialy the IPv6 internet is still very calm and easy going. Would be a pitty if it would change soon. Though in the name of IPv6 adoption - let's go and try it ...
On your usual workstation:
a) Download the file from the link posted above. You should end up with ipv6_2.6.24.111_mipsel_kernel_modules.tgz
b) Unpack it. You should end up with a bunch of .ko files. Those are the kernel modules you need.
On your router/DD-WRT box:
c) Create a semi standard directory for your kernel modules:
mkdir -p /jffs/lib/modules/2.6.24.111
On your workstation:
d) scp the files over to the created directory, if you use windows I guess you will use filezilla or something like that.
Back on your router:
e) Now you should be able to load the kernel modules with the insmod command. E.g.
cd /jffs/lib/modules/2.6.24.111
insmod ip6_tables.ko
insmod ip6table_filter.ko
insmod nf_conntrack_ipv6.ko
f) Now run lsmod to see if they're listed in the output. If not something is wrong. Though hard to tell what as long as you don't get an error message. ;)
That's the kernel space. Now for the user space.
At least the currently recommend build 149xx is very close to OpenWRTs kamikaze release so that's what I'm currently using for userspace packages.
To the best of my current knowledge you've to install the following:
ip6tables
iptables-mod-conntrack
iptables-mod-filter
iptables
a) Download all the corresponding .ipkg packages to your router. If you've enough space (on a RT-N16 you've a lot) directly wget them to e.g. /jffs/tmp.
b) Install them (from the directory where you downloaded them) with ipkg -d root install *.ipkg. That will take a while.
c) ip6tables -vxL should now give you the empty default tables INPUT FORWARD and OUTPUT.
Now face it userspace layout on OpenWRT is a bit different so we've to use some enviroment variables to get it fixed.
d) export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
Now ip6tables should be able to locate the needed shared objects and you should be able to use it just like normal on a full system. Note that this setting is of course not persistent. I, and a lot of other people, make it persistent from the ipv6.startup script with something like
# set bash profile of user root
echo "export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables" >> /tmp/root/.profile
# load required kernel modules
MODPATH='/jffs/lib/modules/2.6.24.111'
KMODS='ip6_tables.ko ip6table_filter.ko nf_conntrack_ipv6.ko'
for x in $KMODS; do
insmod $MODPATH/$x
done
Hi fnord42. I was able to get iptables running, but I am still not able to view or ping any ipv6 sites, I think it might be something to do with radvd. Should there be something in the radvd config under administration/management/IPv6 Support/radvd config?
startup script:
#!/bin/sh
#very ugly and short hack for IPv6 startup
# Bring up the internal interface
ip -6 addr add 2001:DB8::/64 dev br0
ip -6 route add 2001:DB8::/64 dev br0
# set default policy
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
but I am still not able to view or ping any ipv6 sites, I think it might be something to do with radvd. Should there be something in the radvd config under administration/management/IPv6 Support/radvd config?
For me the radvd administration mask didn't work but I've to admit that I didn't waste much time with it. I just placed my radvd.conf into /jffs/etc and now start radvd with this file by hand at the end of my ipv6.startup script.
You can place your configuration in the admin frontend and later on check via ssh if radvd is running.
Beside that, and only to be sure you don't try to use the v4 icmp ping included, you installed ping6 from OpenWRT kamikaze und used the ping6 command, right?
Regarding the radvd usage in your script you should understand that it tries to dynamicly determine your /64 and configure radvd on the fly to announce that. I'm not familar with the odds of ISPs in regard of nativ IPv6 access. I'm still using a SixXS aiccu tunnel.
matt3D wrote:
startup script:
# Bring up the internal interface
ip -6 addr add 2001:DB8::/64 dev br0
ip -6 route add 2001:DB8::/64 dev br0
This is obviously wrong, I guess from the rest of your script that you can delete it. That's just my example illustrating with the IPv6 range for documentation how to bring up the interface for a static /64. Whenever you see an address starting with 2001:DB8: you should replace that with your address space. http://packetlife.net/library/cheat-sheets/ has a nice IPv6 cheat sheet and the Beiringer Linux IPv6 howto should be near your shelf too.
I can't comment much on the rest ad-hoc but I would suggest you should first try to setup everything by hand and afterwards script it. That makes debugging a lot easier. So just bringt up the interface and flush all firewall tables and try to see if that works.
Edit: And restarting radvd (kill -HUP ...) before writing the configuration won't work too. And starting radvd afterwards again will fail (good guess ...) so you should sort that part out a bit.
The following is what I ended up using for my firewall. I have no idea what icmpv6-type 133, 134, 135, and 136 are for, but they seem essential to bring up a webpage like http://ipv6.google.com
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N ipv6cfg
# Destination unreachable
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Others
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A ipv6cfg -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j ipv6cfg
ip6tables -A FORWARD -p icmpv6 -j ipv6cfg
The following is what I ended up using for my firewall. I have no idea what icmpv6-type 133, 134, 135, and 136 are for, but they seem essential to bring up a webpage like http://ipv6.google.com
Oh dear stop using the internet now!
That's RS, RA, NS, NA. (Router Solicitation, Router Advertisement, Neighbor Sol, Neighbor Adv).
IMO nearly everybody should stop filtering ICMPv6. It's essential part of IPv6 for several other things aswell and in most cases you'll do more harm then anything else with filtering.