ipv6 network fail (newbie alert)

Romain Boissat rboissat at lv0.in
Wed Mar 20 19:48:05 CET 2013 

Hi,

On Wed, Mar 20, 2013 at 10:34:36AM -0700, Darren Pilgrim wrote:
> On 2013-03-20 00:48, Nick Edwards wrote:
> >ok, so, it would be best to simply remove all icmp/icmp6 options,
> >clear them all out, but then use :
> >/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
> >blocking nothing else?
> 
> Really it comes down to reading RFC 4890 and doing your homework.
> Debate about the entrance bar to IPv6 adminship aside, if you can't
> be bothered, there are blogs which publish ip6tables rulesets built
> directly from the RFC.

I tend to use theses rules for a GNU/Linux router :


  IP6T=$(which ip6tables)
  ICMP6="-p icmpv6"

  $IP6T -N ICMPv6_IN
  $IP6T -N ICMPv6_FW

  ################# INPUT

  # ICMPv6 is a bit more complex than ICMPv4
  # Maintenance of communication
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 1    -j ACCEPT # Destination Unreachable
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 2    -j ACCEPT # Packet too big
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 3    -j ACCEPT # Time Exceeded
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 4    -j ACCEPT # Parameter problem
  # Connectivity checking
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 128  -j ACCEPT # Echo Request
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 129  -j ACCEPT # Echo Response
  # Address configuration and router selection: allow in link-local only
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 133  -m hl --hl-eq 255 -j LOG --log-level warning --log-prefix "RS6 " # RS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 133  -m hl --hl-eq 255 -j ACCEPT # RS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 134  -m hl --hl-eq 255 -j ACCEPT # RA
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 135  -m hl --hl-eq 255 -j ACCEPT # NS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 136  -m hl --hl-eq 255 -j LOG --log-level warning --log-prefix "NA6 " # NA
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 136  -m hl --hl-eq 255 -j ACCEPT # NA
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 141  -m hl --hl-eq 255 -j ACCEPT # Inverse NDS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 142  -m hl --hl-eq 255 -j ACCEPT # Inverse NDA
  # Link-local Multicast receiver: allow in link-local only
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 130  -m hl --hl-eq 255 -j ACCEPT # Listener Query
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 131  -m hl --hl-eq 255 -j ACCEPT # Listener Report
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 132  -m hl --hl-eq 255 -j ACCEPT # Listener Done
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 143  -m hl --hl-eq 255 -j ACCEPT # Listener Report v2
  # SEND Certification Path Notification: allow in link-local traffic only
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 148  -m hl --hl-eq 255 -j ACCEPT # CPS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 149  -m hl --hl-eq 255 -j ACCEPT # CPA
  # Multicast Router messages: Advertisement, Solicitation, Termination
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 151  -m hl --hl-eq 255 -j ACCEPT # MRA
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 152  -m hl --hl-eq 255 -j ACCEPT # MRS
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 153  -m hl --hl-eq 255 -j ACCEPT # MRT
  # Mobile IPv6
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 144  -j ACCEPT # Home Agent Address Discovery Request
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 145  -j ACCEPT # Home Agent Address Discovery Reply
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 146  -j ACCEPT # Mobile Prefix Solicitation
  $IP6T -A ICMPv6_IN $ICMP6 --icmpv6-type 147  -j ACCEPT # Mobile Prefix Advertisement
  # Handling fragmentation
  $IP6T -A ICMPv6_IN -m ipv6header --soft --header frag -j ACCEPT
  # applying ICMPv6_IN rules to general icmpv6 input
  $IP6T -A INPUT $ICMP6 -j ICMPv6_IN

  ################# FORWARD

  # ICMPv6 is a bit more complex
  # Maintenance of communication
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 1    -j ACCEPT # Destination Unreachable
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 2    -j ACCEPT # Packet too big
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 3    -j ACCEPT # Time Exceeded
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 4    -j ACCEPT # Parameter problem
  # Connectivity checking, for now let the IPv6 world in
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 128  -j ACCEPT # Echo Request
  $IP6T -A ICMPv6_FW $ICMP6 --icmpv6-type 129  -j ACCEPT # Echo Response
  # Handling fragmentation
  $IP6T -A ICMPv6_FW -m ipv6header --soft --header frag -j ACCEPT
  # Applying rules
  $IP6T -A FORWARD $ICMP6 -j ICMPv6_FW


Any feedback is welcome!

Regards,


-- 
Romain Boissat
chroot-me.in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20130320/f9da4751/attachment.sig>

More information about the ipv6-ops mailing list