IPv6 firewall on Linux routeriptables port forwardingftp tls firewalled :(FsockOpen problem with Iptables...
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
Is my plan for fixing my water heater leak bad?
Why didn't Eru and/or the Valar intervene when Sauron corrupted Númenor?
Meth dealer reference in Family Guy
For Loop and Sum
Prove that every even perfect number is a triangular number.
Am I a Rude Number?
Does Windows 10's telemetry include sending *.doc files if Word crashed?
Criticizing long fiction. How is it different from short?
It took me a lot of time to make this, pls like. (YouTube Comments #1)
ip vs ifconfig commands pros and cons
Crystal compensation for temp and voltage
Predict mars robot position
Can a person refuse a presidential pardon?
Do commercial flights continue with an engine out?
What happens if a wizard reaches level 20 but has no 3rd-level spells that they can use with the Signature Spells feature?
What is Crew Dragon approaching in this picture?
raspberry pi change directory (cd) command not working with USB drive
Why is c4 a better move in this position?
Is Draco canonically good-looking?
Yeshiva University RIETS Semicha Yorei and Yadin
Inventor that creates machine that grabs man from future
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
How to properly claim credit for peer review?
IPv6 firewall on Linux router
iptables port forwardingftp tls firewalled :(FsockOpen problem with Iptables inside OpenVZ VMFirewall still blocking port 53 despite listing otherwise?Help With IPTables: Traffic Forced To Specific NIC?Problems with multicasts in “iptables”use iptables to limit the number of concurrent http requests per ipConfiguring iptables on dd-wrt routerFirewall rules for ssh, ftp and webappsCentos 7 , Master-slave replication iptables?
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.
#!/bin/bash
PUBIF="he-ipv6"
LOCIF="vmbr0"
echo "Starting IPv6 firewall..."
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -i $LOCIF -j ACCEPT
ip6tables -A OUTPUT -o $LOCIF -j ACCEPT
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT
ip6tables -A INPUT -i $PUBIF -j LOG
ip6tables -A INPUT -i $PUBIF -j DROP
What did I miss here?
iptables firewall routing nat ipv6
iptables firewall routing nat ipv6
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Syn RomanaSyn Romana
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Syn RomanaSyn Romana
132
asked 11 hours ago
Syn RomanaSyn Romana
132
132
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
add a comment |
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
You're only allowing ICMP inward!
ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT
Compare it to the previous rule where you allow all traffic outward.
ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT
BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
answered 11 hours ago
Michael Hampton♦Michael Hampton
171k27312636
171k27312636
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
add a comment |
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
Yes, incoming traffic rule was an issue. Thanks for pointing that.
– Syn Romana
10 hours ago
add a comment |
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
