- cd src/gateway
- vi .config
- make oldconfig
- make install
Updated2 13:26: More problems discovered:
- ip6tables-save/ip6tables-restore missing - fixed in r802
- "state" match missed in kernel for ipv6 - I need extra time to fix this
I'm going to hardcode following ipv6 firewall rules into rc:
kamil - is it OK for the first step?Code:# Disable processing of any RH0 packet ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A INPUT -t filter -i lo -j ACCEPT ip6tables -A OUTPUT -t filter -o lo -j ACCEPT ip6tables -A FORWARD -t filter -o lo -j ACCEPT ip6tables -A OUTPUT -o sixtun -j ACCEPT ip6tables -A OUTPUT -o br0 -j ACCEPT ip6tables -A INPUT -i br0 -j ACCEPT # Allow ICMP (conditional?) ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
Last edited by lly; 14-11-2009 at 11:09.
ps: scripts i'm tested in VirtualBox and iso rescuecd - http://rescuecd.pld-linux.org/downlo...RCDx86_297.iso
Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line
Also, I can't find ipv6 TCPMSS module for 2.4 ...
About radvd - many software developers increase versions too rapid, without real core functionality change, especially commercial software. So, I don't want to repair new bugs in new version due to incompatibility with our obsolete 2.4 kernel.
Last edited by lly; 14-11-2009 at 13:17.
or lly can add something like this into the beginning:
I'm not sure how drop will work out, I always had bad luck with it, meaning that the tunnel was blockedPOLICY="DROP"
ip6tables -P OUTPUT $POLICY
ip6tables -P INPUT $POLICY
ip6tables -P FORWARD $POLICY
maybe when there is more time we can give it a shot?But ip6_conntrack is highly independent, so I think it isn't difficult
to port it to Linux 2.4. Please try below.
Last edited by lly; 14-11-2009 at 13:56.
Just set up ipv6 tunnel via http://tunnelbroker.net, works fine
btw, do we need following (for the first approach without detailed ifs names)?
iptables -I FORWARD -p ipv6 (-i/o sixtun/br0) - j ACCEPT
iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE
Last edited by theMIROn; 15-11-2009 at 21:16.
My scripts write in other routers where base system is linux with kernel 2.6.x
Oleg's soft is poor support ipv6 (no mtr6, traceroute6, ip6tables)... but basic support have (ping6, firmaware 184.108.40.206-10 compiled with ipv6)... - i can't create scripts where base system not full support ipv6 (Oleg's firmware)
Last edited by kamil; 14-11-2009 at 18:22.