Ygthkb

What can I substitute for soda pop in a sweet pork recipe?

Crystal compensation for temp and voltage

Why is c4 a better move in this position?

Can the SpaceX Dragon 2 crew vehicle still use the draco and super draco thrusters to slow down when landing?

Finding the number of integers that are a square and a cube at the same time

LTSpice: When running a linear AC simulation, how to view the voltage ratio between two voltages?

What was the population of late Pre-Islamic Arabia and the population of Arabic speakers before Islam?

What is the meaning of "pick up" in this sentence?

How to print eax value with Radare2?

If all harmonics are generated by plucking, how does a guitar string produce a pure frequency sound?

Finding ratio of the area of triangles

How to satisfy a player character's curiosity about another player character?

Am I using the wrong word all along?

Why do members of Congress in committee hearings ask witnesses the same question multiple times?

It took me a lot of time to make this, pls like. (YouTube Comments #1)

'A' vs 'an' in newspaper article

ip vs ifconfig commands pros and cons

Which branches of mathematics can be done just in terms of morphisms and composition?

Avoiding morning and evening handshakes

What's the rationale behind the objections to these measures against human trafficking?

Can the Count of Monte Cristo's calculation of poison dosage be explained?

Why does the DC-9-80 have this cusp in its fuselage?

Is the theory of the category of topological spaces computable?

Does this pattern of summing polygonal numbers to get a square repeat indefinitely?

IPv6 firewall on Linux router

iptables port forwardingftp tls firewalled :(FsockOpen problem with Iptables inside OpenVZ VMFirewall still blocking port 53 despite listing otherwise?Help With IPTables: Traffic Forced To Specific NIC?Problems with multicasts in “iptables”use iptables to limit the number of concurrent http requests per ipConfiguring iptables on dd-wrt routerFirewall rules for ssh, ftp and webappsCentos 7 , Master-slave replication iptables?

1

I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

iptables firewall routing nat ipv6

share|improve this question

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

1

I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

iptables firewall routing nat ipv6

share|improve this question

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I have IPv6 tunnel (he.net) on my NAT router. I also have a simple firewall and routing setup to allow hosts behind the router to use IPv6 address space. Unfortunately only outgoing connectivity and incoming icmp works for these hosts.

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

What did I miss here?

iptables firewall routing nat ipv6

share|improve this question

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

#!/bin/bash

PUBIF="he-ipv6"

LOCIF="vmbr0"

echo "Starting IPv6 firewall..."

ip6tables -F

ip6tables -X

ip6tables -t mangle -F

ip6tables -t mangle -X



ip6tables -A INPUT -i lo -j ACCEPT

ip6tables -A OUTPUT -o lo -j ACCEPT



ip6tables -P INPUT DROP

ip6tables -P OUTPUT DROP

ip6tables -P FORWARD DROP



ip6tables -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP



ip6tables -A INPUT -s fe80::/10 -j ACCEPT

ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT



ip6tables -A INPUT -d ff00::/8 -j ACCEPT

ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT



ip6tables -A INPUT -i $LOCIF -j ACCEPT

ip6tables -A OUTPUT -o $LOCIF -j ACCEPT



ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT

ip6tables -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT



ip6tables -A INPUT -i $PUBIF -p tcp --destination-port 65000 -j ACCEPT



ip6tables -A INPUT -i $PUBIF -j LOG

ip6tables -A INPUT -i $PUBIF -j DROP

share|improve this question

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 6 hours ago

Syn RomanaSyn Romana

82

New contributor

Syn Romana is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 6 hours ago

Syn RomanaSyn Romana

82

1 Answer
1

active

oldest

votes

3

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

---

BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

share|improve this answer

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, incoming traffic rule was an issue. Thanks for pointing that.
  
  – Syn Romana
  4 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Syn Romana is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956552%2fipv6-firewall-on-linux-router%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

3

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

---

BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

share|improve this answer

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, incoming traffic rule was an issue. Thanks for pointing that.
  
  – Syn Romana
  4 hours ago
  

  
  
  
  

add a comment | 

3

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

---

BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

share|improve this answer

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, incoming traffic rule was an issue. Thanks for pointing that.
  
  – Syn Romana
  4 hours ago
  

  
  
  
  

add a comment | 

You're only allowing ICMP inward!

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

Compare it to the previous rule where you allow all traffic outward.

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

---

BTW, these rules are redundant; the Linux kernel has automatically dropped this traffic since about 2.6.25 (2007-ish). You can safely remove them. And you should reevaluate whatever tutorial you found them in, as it is probably very far out of date.

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

share|improve this answer

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

ip6tables -A FORWARD -i $PUBIF -o $LOCIF -p icmpv6 -j ACCEPT

ip6tables -A FORWARD -i $LOCIF -o $PUBIF -j ACCEPT

ip6tables -A INPUT -m rt --rt-type 0 -j DROP

ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

share|improve this answer

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636

answered 6 hours ago

Michael Hampton♦Michael Hampton

170k27312636