- As there is no NAT in IPv6, simple 'accept' rules for the needed ports replace the IPv4 port forwarding rules. This example allows incoming traffic to port 113 (identd), which is useful if you use IRC. You might want to delete that line if you have no need for it. Similarly, you can open other ports, if necessary.
# start with a clean slate ip6tables -F ip6tables -X # allow icmpv6 ip6tables -I INPUT -p ipv6-icmp -j ACCEPT ip6tables -I OUTPUT -p ipv6-icmp -j ACCEPT ip6tables -I FORWARD -p ipv6-icmp -j ACCEPT # allow loopback ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # allow anything out of the tunnel ip6tables -A OUTPUT -o 6in4-henet -j ACCEPT # allow LAN ip6tables -A INPUT -i br-lan -j ACCEPT ip6tables -A OUTPUT -o br-lan -j ACCEPT # drop packets with a type 0 routing header ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP # allow link-local ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT # allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # allow forwarding ip6tables -A FORWARD -i br-lan -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # forward ident requests ip6tables -A FORWARD -p tcp --dport 113 -j ACCEPT # default policy... ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP
doc/howto/netfilter/netfilter.ip6tables.example1.txt · Last modified: 2011/02/24 08:57 by orca
This text is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.