Home / server / Questions / 267078
Accepted
nixnotwin
Asked: 2011-05-07 09:28:52 +0800 CST

Ip6tables script for a ipv6 router

  • 772

I am using gogoc tunnel broker on my ubuntu pc for enabling ipv6. I want to use my Ubuntu pc as ipv6 router. I have enabled router mode in the gogoc client. I am using radvd for advertizing the router on the local LAN. tun is the tunnel (WAN) interface. br0 is the LAN interface (wan0 and eth0 have been bridged to make the laptop a wireless accesspoint). What firewall rules can I use to enable packet forwarding and to have a fairly good security for the router and the LAN devises.

firewall ipv6 forwarding

2 Answers

  1. For Linux-based routers, I find that shorewall6---a firewall tool based on ip6tables---works quite well. By using a front end tool like shorewall6 instead of raw ip6tables, you can dispense with certain important but fiddly details, like wondering about the vaguaries of ICMPv6 (which types do I need to accept? which to drop/reject?), as they've already been competently dealt with.

    To configure shorewall6, you edit a small number of well-documented config files in /etc/shorewall6. At the very least, you would modify these files:

    • zones, where you give names to your networks;
    • interfaces, where you list your network interfaces and the zones they are attached to;
    • policy, where you define your default policies for forwarding between zones (ACCEPT, DROP, etc);
    • and rules, where you can create specific exceptions to your policies.

    (There are a few other files as well, but for most situations, the defaults are fine.)

    In your case, you could define two zones, say lan and wan. Your default wan-to-lan policy would be DROP, while your default lan-to-wan policy would be ACCEPT. Then, if, for example, you wanted to allow ssh connections to particular hosts in your lan zone from the wan zone, you would add those exceptions to the rules file.

    In summary, using a front end tool like shorewall6 makes it very easy to create a robust and secure router/firewall---certainly easier than using raw ip6tables---because it creates some easily understandable abstractions for you to configure (zones, policies, rules), and then it takes care of the underlying details.

    • 2
  2. Best Answer

    I can't say that I'm familiar with that specific tunnel broker, I'm assuming that you received a /64 for your hosts. There are some tunnel brokers which provide a /48 in which case you'll need to adjust the rules a bit. These are in iptables-save format:

    *filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMPv6 traffic (required for IPv6) This could be tightened up but it must
# be done very carefully unless you know what you're doing. It could block all
# routing
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT

# Allow traffic from your internal hosts to the outside world
-A FORWARD -s <your address block>::/64 -j ACCEPT

COMMIT

    You'll need to replace "<your address block>::/64" with whatever address range you're assigned.

    This firewall will prevent all outside connections to your local IPv6 addresses while allowing them access to everything. If you need to provide services on your internal IPv6 hosts you'll need to add allow rules in the FORWARD chain at the end (but before the COMMIT).

    • 1