Page 3 of 13 FirstFirst 12345 ... LastLast
Results 31 to 45 of 187

Thread: IPv6 Support

  1. #31
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    and I have it working
    Can you write summary of manual actions that should be done automatically in rc?

    just comment out the ifeq in the dnsmasq makefile located in /broadcom/src/gateway/dnsmasq

    PHP Code:
    #ifeq ($(CONFIG_IPV6),y)
    COPTS += -DUSE_IPV6
    #endif
    export COPTS 
    and done
    Please provide output of
    Code:
    grep "CONFIG_IPV6" /broadcom/src/gateway/.config

  2. #32
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Can you write summary of manual actions that should be done automatically in rc?


    Please provide output of
    Code:
    grep "CONFIG_IPV6" /broadcom/src/gateway/.config
    grep "CONFIG_IPV6" ./Bureaublad/broadcom/src/gateway/.config
    CONFIG_IPV6=y
    I didn't change anything apart from adding that line as described by you in issue 50.

    ofcourse I executed make koldconf.

    Basically the only thing that is need to be set manually is the dnsmasq makefile.
    the lines:
    PHP Code:
    ifeq ($(CONFIG_IPV6),y)
     
    COPTS += -DUSE_IPV6
    endif
    export COPTS 
    it's testing if CONFIG_IPV6 is yes... but that value is not yes apparently
    so I just commented the if out of it and now it works.
    that's all I did.

    speeds are the same as with ipv4 so I think it works great...
    I'm not sure if the firewall is activated on ipv6, since port scanning reveals every service is open that supports ipv6
    nothing dangerous for me at the moment tho
    Last edited by wpte; 09-11-2009 at 17:20.

  3. #33
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    Basically the only thing that is need to be set manually is the dnsmasq makefile.
    Fixed in r769.
    I'm not sure if the firewall is activated on ipv6, since port scanning reveals every service is open that supports ipv6
    nothing dangerous for me at the moment tho
    This is a BIG problem, since netfilter in kernel 2.4 has limited IPv6 support. Can you perform some deeper investigation?

  4. #34
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Fixed in r769.

    This is a BIG problem, since netfilter in kernel 2.4 has limited IPv6 support. Can you perform some deeper investigation?
    yes, it's not very handy

    I read some stuff on internet about the iptables for ipv6. (http://linuxreviews.org/features/ipv6/iptables/)
    So far I only did some plain tests and it seems that the just-as-easy command ip6tables seem to have some effect!

    before I did
    ip6tables -A INPUT -p tcp --dport 23 -j DROP
    port 23 was open, afterwards the port was "filtered" according to the ipv6 portscan http://tunnelbroker.net/ipv6_portscan.php

    I guess I just need to make a ip6tables chain after the iptables chain

  5. #35
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    I have it working bits by bits now...
    the firewall is a bit difficult to configure since you have to allow computers on the inside.

    ipv6 tables:
    Code:
    #!/bin/sh
    
    # Flush & default
    ip6tables -F INPUT
    ip6tables -F OUTPUT
    ip6tables -F FORWARD
    ip6tables -F
    
    # Allow anything on the local link
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT
    
    # Allow Link-Local addresses
    ip6tables -A INPUT -s fe80::c0a8:201/64 -j ACCEPT
    ip6tables -A OUTPUT -s fe80::c0a8:201/64 -j ACCEPT
    
    # Allow multicast
    ip6tables -A INPUT -s 2001:470:1f14:31e::2/64 -j ACCEPT
    ip6tables -A OUTPUT -s 2001:470:1f14:31e::2/64 -j ACCEPT
    
    # Allow ICMP
    ip6tables -A INPUT -p icmpv6 -j ACCEPT
    ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
    
    # Allow certain ports
    ip6tables -A INPUT -p tcp --dport 1:79 -j REJECT
    ip6tables -A INPUT -p udp --dport 1:79 -j REJECT
    ip6tables -A INPUT -p tcp --dport 81:65535 -j REJECT
    ip6tables -A INPUT -p udp --dport 81:65535 -j REJECT
    it's not written very clean... but so far I managed to block every port except 80, allow icmp multicast and the local pc's
    as I said before, I'm not an iptables pro, so if anyone has good knowledge of it, he/she is welcome

    original script from https://www.sixxs.net/wiki/IPv6_Firewalling
    Last edited by wpte; 09-11-2009 at 21:45.

  6. #36
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by wpte View Post
    I have it working bits by bits now...
    the firewall is a bit difficult to configure since you have to allow computers on the inside.
    You are the first! Excellent job!
    it's not written very clean... but so far I managed to block every port except 80, allow icmp multicast and the local pc's
    As I understand you right, 2001:470:1f14:31e::2/64 is your WAN IP6?
    as I said before, I'm not an iptables pro, so if anyone has good knowledge of it, he/she is welcome
    At least, you do tests! Where is IPv6 guru's?

  7. #37
    Join Date
    Nov 2009
    Location
    Poland - Trjmiasto
    Posts
    17
    Quote Originally Posted by lly View Post

    ...

    At least, you do tests! Where is IPv6 guru's?
    Here:




    :P

  8. #38
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by kamil View Post
    Here:




    :P
    showoff
    Only because I don't have any mailserver installed I can't get any further with my score
    anyway, do you know anything about ip6tables?

    As I understand you right, 2001:470:1f14:31e::2/64 is your WAN IP6?
    yes that is my wan ip + all the ip's that will exist in my LAN ip.
    they can be found when doing an ifconfig:
    PHP Code:
    sixtun    Link encap:IPv6-in-IPv4
              inet6 addr
    2001:470:1f14:31e::2/64 Scope:Global
              
    inet6 addrfe80::c0a8:201/64 Scope:Link
              UP POINTOPOINT RUNNING NOARP  MTU
    :1280  Metric:1
              RX packets
    :22222 errors:0 dropped:0 overruns:0 frame:0
              TX packets
    :15203 errors:0 dropped:0 overruns:0 carrier:0
              collisions
    :0 txqueuelen:0
              RX bytes
    :27342673 (26.0 MiB)  TX bytes:4889045 (4.6 MiB
    these ip ranges are given by the tunnel broker. I guess you can get them out with "sed".

  9. #39
    Join Date
    Nov 2009
    Location
    Poland - Trjmiasto
    Posts
    17
    Quote Originally Posted by wpte View Post
    showoff
    Only because I don't have any mailserver installed I can't get any further with my score
    anyway, do you know anything about ip6tables?
    ...
    yes

    what is problem?

  10. #40
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by kamil View Post
    yes

    what is problem?
    we need a proper standard ip6tables script, basicly

    like blocking all ports from the outside standard, but allowing traffic from the inside, and then just open up ports by doing something like:
    ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
    the script in my post earlier does that already quite a bit, but is there a "cleaner" way to do it?

  11. #41
    Quote Originally Posted by wpte View Post
    we need a proper standard ip6tables script, basicly
    suggest executing iptables-save to get ipv4 rules, and make corresponding ipv6 changes

  12. #42
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by theMIROn View Post
    suggest executing iptables-save to get ipv4 rules, and make corresponding ipv6 changes
    hmm... yeh well, they don't seem to fit entirely
    ipv6 works different than ipv4 like you don't have NAT anymore etc.
    I can probably rip out a few lines tho

    edit: got it:
    ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'
    ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'
    any chance you know how to get
    "2001:470:1f14:31e::2/64" and "fe80::c0a8:201/64" out of
    Code:
    ifconfig sixtun
    sixtun    Link encap:IPv6-in-IPv4
              inet6 addr: 2001:470:1f14:31e::2/64 Scope:Global
              inet6 addr: fe80::c0a8:201/64 Scope:Link
              UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
              RX packets:58 errors:0 dropped:0 overruns:0 frame:0
              TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:28655 (27.9 KiB)  TX bytes:15705 (15.3 KiB)
    that way I can make the scipt unified
    Last edited by wpte; 11-11-2009 at 17:39.

  13. #43
    Join Date
    Nov 2009
    Location
    Poland - Trjmiasto
    Posts
    17
    Quote Originally Posted by wpte View Post
    we need a proper standard ip6tables script, basicly

    like blocking all ports from the outside standard, but allowing traffic from the inside, and then just open up ports by doing something like:

    the script in my post earlier does that already quite a bit, but is there a "cleaner" way to do it?
    My example script ip6tables: http://pld.pastebin.com/m14831f76

  14. #44
    Join Date
    Nov 2006
    Location
    Russia, Moscow
    Posts
    3,640
    Quote Originally Posted by kamil View Post
    My example script ip6tables:
    Since you are IPv6 guru, please explain some moments:

    Why you use /10 instead of /64 in following rules?
    Code:
      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

  15. #45
    Join Date
    Dec 2007
    Location
    The Netherlands - Eindhoven
    Posts
    1,767
    Quote Originally Posted by lly View Post
    Since you are IPv6 guru, please explain some moments:

    Why you use /10 instead of /64 in following rules?
    Code:
      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
    yes indeed, the code is quite explaining but I don't get those ip's where are they from?
    PHP Code:
      ip6tables -A INPUT -s fe80::/10 -j ACCEPT
      ip6tables 
    -A OUTPUT -s fe80::/10 -j ACCEPT
     
      ip6tables 
    -A INPUT -s ff00::/-j ACCEPT
      ip6tables 
    -A OUTPUT -s ff00::/-j ACCEPT 
    the script is quite nice, and maybe we can merge it with the iptables I'm converting at the moment, from the standard firewall
    together they would cover pretty much anything I guess

Page 3 of 13 FirstFirst 12345 ... LastLast

Similar Threads

  1. New oleg firmware version
    By Lesiuk in forum WL-500gP Firmware Discussion
    Replies: 713
    Last Post: 13-05-2016, 05:55
  2. Broadcom 63xx SOCs support in linux-mips and OpenWrt
    By goundoulf in forum WL-600g Firmware Discussion
    Replies: 0
    Last Post: 22-10-2008, 18:48
  3. About to remove IPv6 support from the firmware
    By Oleg in forum WL-500g Firmware Releases
    Replies: 7
    Last Post: 25-04-2008, 19:51
  4. HOWTO use your WL-500g as IPv6 router
    By phedny in forum WL-500g/WL-500gx Tutorials
    Replies: 8
    Last Post: 17-02-2008, 08:19

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •