I tried your file lly, but there isn't any sixtun coming up
maybe I should try make menuconf...
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
I tried your file lly, but there isn't any sixtun coming up
maybe I should try make menuconf...
Updated: seems to be my mistake - too hard week Right sequence for compile should be:
- cd src/gateway
- vi .config
- make oldconfig
- make
- make install
Updated2 13:26: More problems discovered:
- ip6tables-save/ip6tables-restore missing - fixed in r802
- "state" match missed in kernel for ipv6 - I need extra time to fix this
I'm going to hardcode following ipv6 firewall rules into rc:
kamil - is it OK for the first step?Code:# Disable processing of any RH0 packet ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A INPUT -t filter -i lo -j ACCEPT ip6tables -A OUTPUT -t filter -o lo -j ACCEPT ip6tables -A FORWARD -t filter -o lo -j ACCEPT ip6tables -A OUTPUT -o sixtun -j ACCEPT ip6tables -A OUTPUT -o br0 -j ACCEPT ip6tables -A INPUT -i br0 -j ACCEPT # Allow ICMP (conditional?) ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT
Last edited by lly; 14-11-2009 at 11:09.
yes, but i not see default policy
ps: scripts i'm tested in VirtualBox and iso rescuecd - http://rescuecd.pld-linux.org/downlo...RCDx86_297.iso
http://kamilm.net/
irc: kamil@IRCNet kamil@LinuxStorm
jid: kamil@pld-users.org
WL-500gpv1-1.9.2.7-10
WL-500gpv2-1.9.2.7-10
http://kamilm.net/
irc: kamil@IRCNet kamil@LinuxStorm
jid: kamil@pld-users.org
WL-500gpv1-1.9.2.7-10
WL-500gpv2-1.9.2.7-10
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
default policy will be ACCEPT, for tests period at least. As I can understand - your sample firewall script not from Oleg's 1.9.2.7-10 (which based on 2.4 kernel too), isn't it?
Bad news - kernel 2.4.X don't support ipv6 connection tracking(ip6_conntrack) at all. And nobody done backport from 2.6 line
Also, I can't find ipv6 TCPMSS module for 2.4 ...
About radvd - many software developers increase versions too rapid, without real core functionality change, especially commercial software. So, I don't want to repair new bugs in new version due to incompatibility with our obsolete 2.4 kernel.
Last edited by lly; 14-11-2009 at 13:17.
default policy is always accept
or lly can add something like this into the beginning:
I'm not sure how drop will work out, I always had bad luck with it, meaning that the tunnel was blockedPOLICY="DROP"
ip6tables -P OUTPUT $POLICY
ip6tables -P INPUT $POLICY
ip6tables -P FORWARD $POLICY
http://www.linux-ipv6.org/ml/usagi-users/msg02587.html
maybe when there is more time we can give it a shot?But ip6_conntrack is highly independent, so I think it isn't difficult
to port it to Linux 2.4. Please try below.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
Last edited by lly; 14-11-2009 at 13:56.
Just set up ipv6 tunnel via http://tunnelbroker.net, works fine
btw, do we need following (for the first approach without detailed ifs names)?
iptables -I FORWARD -p ipv6 (-i/o sixtun/br0) - j ACCEPT
iptables -t nat -I POSTROUTING -p ! ipv6 ... -j MASQUERADE
Last edited by theMIROn; 15-11-2009 at 21:16.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
Oleg's 1.9.2.7-10 don't have ip6tables
My scripts write in other routers where base system is linux with kernel 2.6.x
Oleg's soft is poor support ipv6 (no mtr6, traceroute6, ip6tables)... but basic support have (ping6, firmaware 1.9.2.7-10 compiled with ipv6)... - i can't create scripts where base system not full support ipv6 (Oleg's firmware)
Last edited by kamil; 14-11-2009 at 18:22.
http://kamilm.net/
irc: kamil@IRCNet kamil@LinuxStorm
jid: kamil@pld-users.org
WL-500gpv1-1.9.2.7-10
WL-500gpv2-1.9.2.7-10
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon