since my wl-500w is back up running again I tried to use ipv6 in r1000
ping6 works properly on the router
but all the computers inside my network can't browse the internet however they do receive an ipv6 adress from the router.
I think the range from the local ip's are not set properly yet
I have the basic firewall now:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
ACCEPT tcp anywhere anywhere tcp dpt:ftp
DROP all anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp anywhere anywhere limit: avg 5/sec burst 5
DROP all anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all anywhere anywhere
so I've used some tables from my old home made script
PHP Code:
# Get global, link and wan adresses
GLOBALSCOPE=`ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'`
LINKSCOPE=`ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'`
WANIF=`echo $GLOBALSCOPE | cut -f1 -d/`
#Allow local traffic
#includes loopback and local adresses
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
#link-local
ip6tables -A INPUT -s $LINKSCOPE -j ACCEPT
ip6tables -A OUTPUT -s $LINKSCOPE -j ACCEPT
and now I'm able to browse ipv6 sites on my clients
The changes in the list: (-- is added)
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
ACCEPT tcp anywhere anywhere tcp dpt:ftp
DROP all anywhere anywhere
--ACCEPT all anywhere anywhere
--ACCEPT all fe80::/64 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all fe80::/10 anywhere
ACCEPT all ff00::/8 anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
--ACCEPT all anywhere anywhere
--ACCEPT all fe80::/64 anywhere
Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp anywhere anywhere limit: avg 5/sec burst 5
DROP all anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all anywhere anywhere
so it added code to accept anything from anywhere... (not secure)
but it also added fe80::/64 considered unsafe according to kamil, but it was the final step to make ipv6 browsable again
in the end the current firewall is not complete imo