IPv6 Support

**wpte** · 15-11-2009, 16:43

I have the new build and it works great

I'm proudly running:
1.9.2.7-d-r815

is it just me or is that portscanner from he.net quite slow?

maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?

**theMIROn** · 15-11-2009, 17:38

Originally Posted by wpte

I have the new build and it works great

is it just me or is that portscanner from he.net quite slow?

maybe I'll make a c# ipv6 portscanner, you need a mono version theMIROn?

what for?
he.net uses nmap 5.00, you could use the same from optware.

btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)

**theMIROn** · 15-11-2009, 17:48

Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally
2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all
3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability
4. did I miss smth?

**lly** · 15-11-2009, 18:11

Originally Posted by theMIROn

Thoughts 'bout ip6tables defaults:
1. filter6_ruses should be grouped by chain, not by match/target, following changes should be applied to rc internally

Sounds resonable. No problem, we still on the way

2. OUTPUT chain should always have default ACCEPT policy, and only REJECT/DROP targets (for ex. -m rt --rt-type - -j DROP/REJECT)
coz output ifs could be br0/vlan1/sixtun/lo - to much to enum them all

3. ipv6-icmp proto used for ipv6 advert (radvd), auto conf, etc, so it shouldn't depend on firewall coz it'll break the overall netability

Unfortunately, I don't know yet. Maybe kamil or someone else can help us and answer to this questions?

**wpte** · 15-11-2009, 20:50

Originally Posted by theMIROn

what for?
he.net uses nmap 5.00, you could use the same from optware.

btw, http://wpte.crabdance.com/ isn't accessable via ipv6, but themiron.ru is =)

I know it's not accessable, though I opened up the port

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

after I added the line

-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

everything goes open

what do you use to open up ports then?

**theMIROn** · 15-11-2009, 21:13

Originally Posted by wpte

after I added the line

Code:

-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

everything goes open

what do you use to open up ports then?

you should open it with

Code:

ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

and not to forget about (in case of lighttpd)

Code:

server.use-ipv6 = "enable"

**wpte** · 15-11-2009, 21:20

Originally Posted by theMIROn

and not to forget about (in case of lighttpd)

Code:

server.use-ipv6 = "enable"

yes I enabled that

hmmm still odd with the mixed results from the he portscanner.. only online working ipv6 portscanner as far as I can see

**theMIROn** · 15-11-2009, 21:25

Originally Posted by wpte

yes I enabled that

hmmm still odd with the mixed results from the he portscanner.. only online working ipv6 portscanner as far as I can see

i'm able ping you, and you http is working for now. test completed

**wpte** · 15-11-2009, 21:32

Originally Posted by theMIROn

i'm able ping you, and you http is working for now. test completed

yes but the rest is open as well

**theMIROn** · 16-11-2009, 07:02

With r821 introduced new ipv6 rules in more flexible way.
Some of rules are auto generated depending on connection type (in my case lanif=br0, manif=vlan1, wanif=ppp0), services enabled (ssh port, ftp port)
Security chain isn't used yet, logaccept/logdrop chains will be used after turning packet logging on

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i <lanif> -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s ff00::/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ssh port> -j ACCEPT
-A INPUT -p tcp -m tcp --dport <ftp port> -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i <lanif> -o <lanif> -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s fe80::/10 -j ACCEPT
-A FORWARD -s ff00::/8 -j ACCEPT
-A FORWARD -i ! br0 -o sixtun -j DROP
-A FORWARD -i ! br0 -o <wanif> -j DROP
-A FORWARD -i ! br0 -o <manif> -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

**wpte** · 17-11-2009, 22:39

good stuff... compiling it now

I had about the same script as that, only it was working half

**wpte** · 17-11-2009, 23:48

Originally Posted by wpte

good stuff... compiling it now

I had about the same script as that, only it was working half

can't seem to open up port 80 anymore with both

ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

ftp seems to be open tho...

PHP Code:


# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009

*mangle

:PREROUTING ACCEPT [5823:1448054]

:INPUT ACCEPT [4022:326204]

:FORWARD ACCEPT [1276:988388]

:OUTPUT ACCEPT [165:20009]

:POSTROUTING ACCEPT [1443:1008589]

COMMIT

# Completed on Wed Nov 18 00:09:58 2009

# Generated by ip6tables-save v1.3.8 on Wed Nov 18 00:09:58 2009

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [1276:988388]

:OUTPUT ACCEPT [154:19053]

:SECURITY - [0:0]

:logaccept - [0:0]

:logdrop - [0:0]

-A INPUT -m rt --rt-type 0 -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -i br0 -j ACCEPT

-A INPUT -p ipv6-icmp -j ACCEPT

-A INPUT -s fe80::/10 -j ACCEPT

-A INPUT -s ff00::/8 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -j DROP

-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -m rt --rt-type 0 -j DROP

-A FORWARD -i br0 -o br0 -j ACCEPT

-A FORWARD -p ipv6-icmp -j ACCEPT

-A FORWARD -s fe80::/10 -j ACCEPT

-A FORWARD -s ff00::/8 -j ACCEPT

-A FORWARD -i ! br0 -o sixtun -j DROP

-A FORWARD -i ! br0 -o eth1 -j DROP

-A OUTPUT -m rt --rt-type 0 -j DROP

-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN

-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN

-A SECURITY -p udp -m limit --limit 5/sec -j RETURN

-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN

-A SECURITY -j DROP

-A logaccept -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options

-A logaccept -j ACCEPT

-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

-A logdrop -j DROP

COMMIT

# Completed on Wed Nov 18 00:09:58 2009

**theMIROn** · 18-11-2009, 00:25

Code:

-A INPUT -j DROP 
-A INPUT -d 2001:470:1f14:31e::2/128 -i sixtun -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

take a more closely look at ruleset.
everything in input chain will drop like it goes tith ipv4 filter table
the main reason - to implement logdrop action, coz chain policy doesn't support anything besides accept and drop only.
so you need post-firewall stuff like following

Code:

# set default input rule
iptables -P INPUT DROP
ip6tables -P INPUT DROP
# remove last default rule (i don't use logdrop)
iptables -D INPUT -j DROP
ip6tables -D INPUT -j DROP
# allow http access
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

**wpte** · 18-11-2009, 22:40

that does kill your ipv6 tunnel you know...

**Alex89** · 24-11-2009, 20:17

Good evening. I'm lucky to have native Ipv6 address provided on physical vlan1 interface by provider 2001.x.x.x/64 (while ipv4 goes through PPTP). I've set a static ipv6 address on vlan1 and set up default route, so from router i can reach ipv6 hosts w/o any problem. Also I've set another ipv6 address from /64 prefix on my br0 interface + set up radvd with /64 prefix (can't use /80, cause i gives an error). After that i flushed all ip6tables rules and made iptable -A INPUT -p ipv6 -i vlan1 -j accept (just in case). Now i have global addresses provided in my wireless network, and i can ping computers in a network and router with ping6. But still i can't traceroute6 from my local network to ipv6 hosts (only does 1 step to br0 ipv6 address i've assigned for router and then stops) and i also can't traceroute6 from my router to local network (strange, just doesn't jump at all). Would you please give me a hand setting this configuration. Thank you

Thread: IPv6 Support

Thread Tools

Rate This Thread

Display

Routing /64 prefix

Similar Threads

New oleg firmware version

Broadcom 63xx SOCs support in linux-mips and OpenWrt

About to remove IPv6 support from the firmware

HOWTO use your WL-500g as IPv6 router

Tags for this Thread

Posting Permissions