# This is an startup script example, how IPv6 should 
# looks like, if not you will get some seriously 
# problems.
# Some options may not work on your OS. 

# ICMPv6 Stastics (optional)
# icmpv6_stats

# Optional may not work on all systems
ipset flush dns6
ipset destroy dns6
ipset -! create dns6 hash:ip family inet6
ipset add dns6 2001:4860:4860::8888
ipset add dns6 2001:4860:4860::8844
ipset add dns6 2620:0:ccc::2
ipset add dns6 2620:0:ccd::2

# Default should be DROP (always)
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Accept only stuff that is necassary
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT 
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here...
# replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2
# to allow DNS 
#ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
#ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
ip6tables -I OUTPUT -o br-lan -p udp -m set --match-set dns6 dst --dport 53 -j ACCEPT
ip6tables -I INPUT -i br-lan -p udp -m set --match-set dns6 src --sport 53 -j ACCEPT
#ip6tables -I INPUT -i br-lan -m set --match-set dns src -j ACCEPT
#ip6tables -I OUTPUT -o br-lan -m set --match-set dns dst -j ACCEPT

# Allow DHCPv6 configuration
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A FORWARD -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT

# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth0.2 -j ACCEPT
#ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth0.2 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ip6tables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j DSCP --set-dscp-class ef
#ip6tables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j DSCP --set-dscp-class eftables DROP]:'
#ip6tables -A DROP_LOG -j REJECT --reject-with icmp6-port-unreachable

# And.. importantly..
# replace your:gateway:ip with your gateway (of wanted - but important for icmpv6)
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT    # Destination unreachable
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT    # Packet too big
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT    # Time exceeded
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT    # Parameter problem
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT

# You *will* need the above accepts regardless since your default policy
# is DROP, if not, you may find ipv6 reachable problems, in fact, you may
#  not even be able to connect outbound without types 135/136 (neighbour discovery)!

# Doing statistics on icmp6 (optional)
ip6tables -A OUTPUT -p 58 -j ICMP6_STATS
ip6tables -A FORWARD -p 58 -j ICMP6_STATS

# Stealth Scans etc. DROPen
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Drop packets with routing header type 0 and any remaining segments (more than 0)
# deprecating RFC: http://www.ietf.org/rfc/rfc5095.txt
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o eth0.2 -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow ICMP (such as SLAAC, etc)
#ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT

# Block facebook.com
#ip6tables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP
#ip6tables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP
#ip6tables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP