since my wl-500w is back up running again I tried to use ipv6 in r1000
ping6 works properly on the router
but all the computers inside my network can't browse the internet however they do receive an ipv6 adress from the router.
I think the range from the local ip's are not set properly yet
I have the basic firewall now:
so I've used some tables from my old home made scriptCode:Chain INPUT (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere ACCEPT ipv6-icmp anywhere anywhere ACCEPT all fe80::/10 anywhere ACCEPT all ff00::/8 anywhere ACCEPT tcp anywhere anywhere tcp dpt:ftp DROP all anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ACCEPT ipv6-icmp anywhere anywhere ACCEPT all fe80::/10 anywhere ACCEPT all ff00::/8 anywhere DROP all anywhere anywhere DROP all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 Chain SECURITY (0 references) target prot opt source destination RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 RETURN udp anywhere anywhere limit: avg 5/sec burst 5 RETURN icmp anywhere anywhere limit: avg 5/sec burst 5 DROP all anywhere anywhere Chain logaccept (0 references) target prot opt source destination LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT ' ACCEPT all anywhere anywhere Chain logdrop (0 references) target prot opt source destination LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP ' DROP all anywhere anywhere
and now I'm able to browse ipv6 sites on my clientsPHP Code:# Get global, link and wan adresses
GLOBALSCOPE=`ifconfig sixtun | grep 'Scope:Global' | awk '{print $3}'`
LINKSCOPE=`ifconfig sixtun | grep 'Scope:Link' | awk '{print $3}'`
WANIF=`echo $GLOBALSCOPE | cut -f1 -d/`
#Allow local traffic
#includes loopback and local adresses
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
#link-local
ip6tables -A INPUT -s $LINKSCOPE -j ACCEPT
ip6tables -A OUTPUT -s $LINKSCOPE -j ACCEPT
The changes in the list: (-- is added)
so it added code to accept anything from anywhere... (not secure)Code:Chain INPUT (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere ACCEPT ipv6-icmp anywhere anywhere ACCEPT all fe80::/10 anywhere ACCEPT all ff00::/8 anywhere ACCEPT tcp anywhere anywhere tcp dpt:ftp DROP all anywhere anywhere --ACCEPT all anywhere anywhere --ACCEPT all fe80::/64 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 ACCEPT all anywhere anywhere ACCEPT ipv6-icmp anywhere anywhere ACCEPT all fe80::/10 anywhere ACCEPT all ff00::/8 anywhere DROP all anywhere anywhere DROP all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all anywhere anywhere rt type:0 --ACCEPT all anywhere anywhere --ACCEPT all fe80::/64 anywhere Chain SECURITY (0 references) target prot opt source destination RETURN tcp anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 RETURN udp anywhere anywhere limit: avg 5/sec burst 5 RETURN icmp anywhere anywhere limit: avg 5/sec burst 5 DROP all anywhere anywhere Chain logaccept (0 references) target prot opt source destination LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT ' ACCEPT all anywhere anywhere Chain logdrop (0 references) target prot opt source destination LOG all anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROP ' DROP all anywhere anywhere
but it also added fe80::/64 considered unsafe according to kamil, but it was the final step to make ipv6 browsable again
in the end the current firewall is not complete imo






Reply With Quote
