what for?
he.net uses nmap 5.00, you could use the same from optware.
btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)
I have the new build and it works great
is it just me or is that portscanner from he.net quite slow?I'm proudly running:
1.9.2.7-d-r815
maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?
what for?
he.net uses nmap 5.00, you could use the same from optware.
btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally
2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
4. did I miss smth?
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
Sounds resonable. No problem, we still on the way
Unfortunately, I don't know yet. Maybe kamil or someone else can help us and answer to this questions?2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
With r821 introduced new ipv6 rules in more flexible way.
Some of rules are auto generated depending on connection type (in my case lanif=br0, manif=vlan1, wanif=ppp0), services enabled (ssh port, ftp port)
Security chain isn't used yet, logaccept/logdrop chains will be used after turning packet logging on
Code:*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :SECURITY - [0:0] :logaccept - [0:0] :logdrop - [0:0] -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i <lanif> -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -s ff00::/8 -j ACCEPT -A INPUT -p tcp -m tcp --dport <ssh port> -j ACCEPT -A INPUT -p tcp -m tcp --dport <ftp port> -j ACCEPT -A INPUT -j DROP -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -i <lanif> -o <lanif> -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -s fe80::/10 -j ACCEPT -A FORWARD -s ff00::/8 -j ACCEPT -A FORWARD -i ! br0 -o sixtun -j DROP -A FORWARD -i ! br0 -o <wanif> -j DROP -A FORWARD -i ! br0 -o <manif> -j DROP -A OUTPUT -m rt --rt-type 0 -j DROP -A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN -A SECURITY -p udp -m limit --limit 5/sec -j RETURN -A SECURITY -p icmp -m limit --limit 5/sec -j RETURN -A SECURITY -j DROP -A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options -A logaccept -j ACCEPT -A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -j DROP COMMIT
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
good stuff... compiling it now
I had about the same script as that, only it was working half
can't seem to open up port 80 anymore with both
ftp seems to be open tho...ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
PHP Code:
# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*mangle
:PREROUTING ACCEPT [5823:1448054]
:INPUT ACCEPT [4022:326204]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [165:20009]
:POSTROUTING ACCEPT [1443:1008589]
COMMIT
# Completed on Wed Nov 18 00:09:58 2009
# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [1276:988388]
:OUTPUT ACCEPT [154:19053]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j DROP
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o eth1 -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Nov 18 00:09:58 2009
take a more closely look at ruleset.Code:-A INPUT -j DROP -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
everything in input chain will drop like it goes tith ipv4 filter table
the main reason - to implement logdrop action, coz chain policy doesn't support anything besides accept and drop only.
so you need post-firewall stuff like following
Code:# set default input rule iptables -P INPUT DROP ip6tables -P INPUT DROP # remove last default rule (i don't use logdrop) iptables -D INPUT -j DROP ip6tables -D INPUT -j DROP # allow http access iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
that does kill your ipv6 tunnel you know...
Good evening. I'm lucky to have native Ipv6 address provided on physical vlan1 interface by provider 2001.x.x.x/64 (while ipv4 goes through PPTP). I've set a static ipv6 address on vlan1 and set up default route, so from router i can reach ipv6 hosts w/o any problem. Also I've set another ipv6 address from /64 prefix on my br0 interface + set up radvd with /64 prefix (can't use /80, cause i gives an error). After that i flushed all ip6tables rules and made iptable -A INPUT -p ipv6 -i vlan1 -j accept (just in case). Now i have global addresses provided in my wireless network, and i can ping computers in a network and router with ping6. But still i can't traceroute6 from my local network to ipv6 hosts (only does 1 step to br0 ipv6 address i've assigned for router and then stops) and i also can't traceroute6 from my router to local network (strange, just doesn't jump at all). Would you please give me a hand setting this configuration. Thank you