I have the new build and it works great:)
is it just me or is that portscanner from he.net quite slow?:pQuote:
I'm proudly running:
1.9.2.7-d-r815
maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?
Printable View
I have the new build and it works great:)
is it just me or is that portscanner from he.net quite slow?:pQuote:
I'm proudly running:
1.9.2.7-d-r815
maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?
what for?
he.net uses nmap 5.00, you could use the same from optware.
btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)
Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally
2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
4. did I miss smth?
Sounds resonable. No problem, we still on the way :)
Unfortunately, I don't know yet. Maybe kamil or someone else can help us and answer to this questions?Quote:
2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
I know it's not accessable, though I opened up the port:p
after I added the lineQuote:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
everything goes open:confused:Quote:
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
what do you use to open up ports then?
With r821 introduced new ipv6 rules in more flexible way.
Some of rules are auto generated depending on connection type (in my case lanif=br0, manif=vlan1, wanif=ppp0), services enabled (ssh port, ftp port)
Security chain isn't used yet, logaccept/logdrop chains will be used after turning packet logging on
Code:*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i <lanif> -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ssh port> -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ftp port> -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i <lanif> -o <lanif> -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o <wanif> -j DROP
-A FORWARD -i ! br0 -o <manif> -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
good stuff... compiling it now
I had about the same script as that, only it was working half:p
can't seem to open up port 80 anymore with both
ftp seems to be open tho...:pQuote:
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
PHP Code:
# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*mangle
:PREROUTING ACCEPT [5823:1448054]
:INPUT ACCEPT [4022:326204]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [165:20009]
:POSTROUTING ACCEPT [1443:1008589]
COMMIT
# Completed on Wed Nov 18 00:09:58 2009
# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [154:19053]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j DROP
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o eth1 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Nov 18 00:09:58 2009
take a more closely look at ruleset.Code:-A INPUT -j DROP
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
everything in input chain will drop like it goes tith ipv4 filter table
the main reason - to implement logdrop action, coz chain policy doesn't support anything besides accept and drop only.
so you need post-firewall stuff like following
Code:# set default input rule
iptables -P INPUT DROP
ip6tables -P INPUT DROP
# remove last default rule (i don't use logdrop)
iptables -D INPUT -j DROP
ip6tables -D INPUT -j DROP
# allow http access
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
that does kill your ipv6 tunnel you know...:rolleyes:
Good evening. I'm lucky to have native Ipv6 address provided on physical vlan1 interface by provider 2001.x.x.x/64 (while ipv4 goes through PPTP). I've set a static ipv6 address on vlan1 and set up default route, so from router i can reach ipv6 hosts w/o any problem. Also I've set another ipv6 address from /64 prefix on my br0 interface + set up radvd with /64 prefix (can't use /80, cause i gives an error). After that i flushed all ip6tables rules and made iptable -A INPUT -p ipv6 -i vlan1 -j accept (just in case). Now i have global addresses provided in my wireless network, and i can ping computers in a network and router with ping6. But still i can't traceroute6 from my local network to ipv6 hosts (only does 1 step to br0 ipv6 address i've assigned for router and then stops) and i also can't traceroute6 from my router to local network (strange, just doesn't jump at all). Would you please give me a hand setting this configuration. Thank you