IPv6 firewall on Linux routeriptables port forwardingftp tls firewalled :(FsockOpen problem with Iptables...
4 Spheres all touching each other??
How to properly claim credit for peer review?
IPv6 firewall on Linux router
How to add multiple differently colored borders around a node?
Can the Count of Monte Cristo's calculation of poison dosage be explained?
If I delete my router's history can my ISP still provide it to my parents?
What's the rationale behind the objections to these measures against human trafficking?
How to print eax value with Radare2?
How to mitigate "bandwagon attacking" from players?
On what did Lego base the appearance of the new Hogwarts minifigs?
How do we edit a novel that's written by several people?
Why do neural networks need so many training examples to perform?
Why zero tolerance on nudity in space?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
Avoiding morning and evening handshakes
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
Do authors have to be politically correct in article-writing?
Am I using the wrong word all along?
Meth dealer reference in Family Guy
Find the number of ways to express 1050 as sum of consecutive integers
What is the purpose of easy combat scenarios that don't need resource expenditure?
Predict mars robot position
It took me a lot of time to make this, pls like. (YouTube Comments #1)
'A' vs 'an' in newspaper article
IPv6 firewall on Linux router
iptables port forwardingftp tls firewalled :(FsockOpen problem with Iptables inside OpenVZ VMFirewall still blocking port 53 despite listing otherwise?Help With IPTables: Traffic Forced To Specific NIC?Problems with multicasts in “iptables”use iptables to limit the number of concurrent http requests per ipConfiguring iptables on dd-wrt routerFirewall rules for ssh, ftp and webappsCentos 7 , Master-slave replication iptables?
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
iptables firewall routing nat ipv6
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Syn RomanaSyn Romana
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Syn RomanaSyn Romana
82
asked 6 hours ago
Syn RomanaSyn Romana
82
82
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
answered 6 hours ago
Michael Hampton♦Michael Hampton
170k27312636
170k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
4 hours ago
add a comment |
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
