Originally Posted by
wpte
I tried your file lly, but there isn't any sixtun coming up
Updated: seems to be my mistake - too hard week Right sequence for compile should be:
- cd src/gateway
- vi .config
- make oldconfig
- make
- make install
Updated2 13:26: More problems discovered:
- ip6tables-save/ip6tables-restore missing - fixed in r802
- "state" match missed in kernel for ipv6 - I need extra time to fix this
I'm going to hardcode following ipv6 firewall rules into rc:
Code:
# Disable processing of any RH0 packet
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -t filter -i lo -j ACCEPT
ip6tables -A OUTPUT -t filter -o lo -j ACCEPT
ip6tables -A FORWARD -t filter -o lo -j ACCEPT
ip6tables -A OUTPUT -o sixtun -j ACCEPT
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow ICMP (conditional?)
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
kamil - is it OK for the first step?