Skip to content

Instantly share code, notes, and snippets.

@peterwillcn

peterwillcn/ipv6startupfix

Forked from CHEF-KOCH/ipv6startupfix
Created May 4, 2016 14:32
Show Gist options
  • Save peterwillcn/88a30cb25cd89865a7b8953e1dc41912 to your computer and use it in GitHub Desktop.
Save peterwillcn/88a30cb25cd89865a7b8953e1dc41912 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @CHEF-KOCH CHEF-KOCH revised this gist Mar 29, 2015. 1 changed file with 7 additions and 2 deletions.
    9 changes: 7 additions & 2 deletions ipv6startupfix
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@
    # This is an startup script example, how IPv6 should
    # looks like, if not you will get some seriously
    # problems.
    #
    # Some options may not work on your OS.

    # ICMPv6 Stastics (optional)
    # icmpv6_stats
    @@ -97,4 +97,9 @@ ip6tables -A INPUT -s ff00::/8 -j ACCEPT
    ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

    # Allow ICMP (such as SLAAC, etc)
    #ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT
    #ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT

    # Block facebook.com
    #ip6tables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP
    #ip6tables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP
    #ip6tables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROP
  2. @CHEF-KOCH CHEF-KOCH revised this gist Mar 29, 2015. 1 changed file with 68 additions and 3 deletions.
    71 changes: 68 additions & 3 deletions ipv6startupfix
    View file
    Original file line number Diff line number Diff line change
    @@ -3,6 +3,18 @@
    # problems.
    #

    # ICMPv6 Stastics (optional)
    # icmpv6_stats

    # Optional may not work on all systems
    ipset flush dns6
    ipset destroy dns6
    ipset -! create dns6 hash:ip family inet6
    ipset add dns6 2001:4860:4860::8888
    ipset add dns6 2001:4860:4860::8844
    ipset add dns6 2620:0:ccc::2
    ipset add dns6 2620:0:ccd::2

    # Default should be DROP (always)
    ip6tables -P INPUT DROP
    ip6tables -P OUTPUT ACCEPT
    @@ -18,8 +30,24 @@ ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    #... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here...
    # replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2
    # to allow DNS
    ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
    ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
    #ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
    #ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
    ip6tables -I OUTPUT -o br-lan -p udp -m set --match-set dns6 dst --dport 53 -j ACCEPT
    ip6tables -I INPUT -i br-lan -p udp -m set --match-set dns6 src --sport 53 -j ACCEPT
    #ip6tables -I INPUT -i br-lan -m set --match-set dns src -j ACCEPT
    #ip6tables -I OUTPUT -o br-lan -m set --match-set dns dst -j ACCEPT

    # Allow DHCPv6 configuration
    ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
    ip6tables -A FORWARD -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT

    # Allow forwarding
    #ip6tables -A FORWARD -m state --state NEW -m physdev ! --physdev-in eth0.2 -j ACCEPT
    #ip6tables -A FORWARD -m state --state NEW -p tcp --dport 22 -m physdev --physdev-in eth0.2 -j ACCEPT
    ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    #ip6tables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j DSCP --set-dscp-class ef
    #ip6tables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j DSCP --set-dscp-class eftables DROP]:'
    #ip6tables -A DROP_LOG -j REJECT --reject-with icmp6-port-unreachable

    # And.. importantly..
    # replace your:gateway:ip with your gateway (of wanted - but important for icmpv6)
    @@ -32,4 +60,41 @@ ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT

    # You *will* need the above accepts regardless since your default policy
    # is DROP, if not, you may find ipv6 reachable problems, in fact, you may
    # not even be able to connect outbound without types 135/136 (neighbour discovery)!
    # not even be able to connect outbound without types 135/136 (neighbour discovery)!

    # Doing statistics on icmp6 (optional)
    ip6tables -A OUTPUT -p 58 -j ICMP6_STATS
    ip6tables -A FORWARD -p 58 -j ICMP6_STATS

    # Stealth Scans etc. DROPen
    ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
    ip6tables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

    # Drop packets with routing header type 0 and any remaining segments (more than 0)
    # deprecating RFC: http://www.ietf.org/rfc/rfc5095.txt
    ip6tables -A INPUT -m rt --rt-type 0 -j DROP
    ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
    ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

    # Allow anything on the local link
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT

    # Allow anything out on the internet
    ip6tables -A OUTPUT -o eth0.2 -j ACCEPT

    # Allow Link-Local addresses
    ip6tables -A INPUT -s fe80::/10 -j ACCEPT
    ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

    # Allow multicast
    ip6tables -A INPUT -s ff00::/8 -j ACCEPT
    ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

    # Allow ICMP (such as SLAAC, etc)
    #ip6tables -A INPUT -p icmpv6 -m limit --limit 30/min -j ACCEPT
  3. @CHEF-KOCH CHEF-KOCH created this gist Mar 29, 2015.
    35 changes: 35 additions & 0 deletions ipv6startupfix
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,35 @@
    # This is an startup script example, how IPv6 should
    # looks like, if not you will get some seriously
    # problems.
    #

    # Default should be DROP (always)
    ip6tables -P INPUT DROP
    ip6tables -P OUTPUT ACCEPT
    ip6tables -P FORWARD DROP

    # Accept only stuff that is necassary
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A INPUT -s fe80::/10 -j ACCEPT
    ip6tables -A INPUT -d ff00::/8 -j ACCEPT
    ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG
    ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    #... insert ACCEPT's for your lan and whatever other ipv6 addresses you need with full access here...
    # replace -> you:ipv6:dns:server with your DNS sever e.g. OpenDNS uses 2620:0:ccc::2 and 2620:0:ccd::2
    # to allow DNS
    ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT
    ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j ACCEPT

    # And.. importantly..
    # replace your:gateway:ip with your gateway (of wanted - but important for icmpv6)
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT # Destination unreachable
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT # Packet too big
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT # Time exceeded
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT # Parameter problem
    ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT
    ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT

    # You *will* need the above accepts regardless since your default policy
    # is DROP, if not, you may find ipv6 reachable problems, in fact, you may
    # not even be able to connect outbound without types 135/136 (neighbour discovery)!