ipv6 network fail (newbie alert)
Noel Butler
noel.butler at ausics.net
Thu Mar 21 08:21:24 CET 2013
On Thu, 2013-03-21 at 15:54 +1000, Nick Edwards wrote:
> I must have missed something here, because with icmp., that freebsd
> link shows what I'm doing now, and people here are saying not to
>
>
> O
Darren pretty much answered your question earlier on in the thread.
This should work for you, it might be nasty, but it does work :)
ip6tables -F
ip6tables -P INPUT ACCEPT (or drop)
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -s y:o:u:r:assigned:range/mask
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if you are forwarding
ip6tables -A FORWARD -s y:o:u:r:assigned:range/mask -j ACCEPT
ip6tables -A FORWARD -d y:o:u:r:assigned:range/mask -j ACCEPT
---input accepts for any ports like 25, 80, etc here---
ip6tables -A INPUT -p tcp --dport 1:1023 -j DROP
ip6tables -A INPUT -p udp -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
Since you earlier said you static assigned IP's I see no point in
allowing NDP (but I too are no ipv6 expert)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20130321/c35c587f/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-smile.png
Type: image/png
Size: 873 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20130321/c35c587f/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20130321/c35c587f/attachment-0001.bin
More information about the ipv6-ops
mailing list