OpenWRT 8.09.2 and ipv6

After spending quite some time with the firewall rules inside the openwrt kamikaze 8.09.2 installed on my Linksys WRT54GL, I thought that posting the end result might be handy for others.

  • step 1, install the following packages: ip6tables, kmod-ipv6, radvd, 6scripts.
  • step 2, change the following line in /etc/init.d/6tunnel
    ip tunnel add $tnlifname mode sit remote $remoteip4 local $localip4 ttl $ttl

    into
    ip tunnel add $tnlifname mode sit remote any local $localip4 ttl $ttl

    because if you don’t the outgoing packets are to remoteip4 (192.88.99.1), but the incoming packets are from 192.88.99.2. That’s not handled properly somewhere inside the kernel/firewall/ip6tunnel config. You can see this is happening by the “ICMP protocol 41 unreachable” messages back to 192.88.99.2.

So, what goes into /etc/config/6tunnel:

config 6tunnel
option tnlifname ‘6tunnel’
option remoteip4        '192.88.99.1'
option localip4                <insert your ipv4 address>
# convert your external ipv4 address into 8 4-nibble hex digits
#
option prefix                ‘2002:<hex variant of ipv4>:1::1/64’
option localip6                “2002:<hex variant of ipv4>::1/16”
option ttl                64

And the last step is adding a rule admitting ipv6 packets in (/etc/config/firewall)

config rule
option '_name'                ‘6tunnel’
option src                wan
option proto                41                # ipv6
option target                ACCEPT

And just to have everything documented, this is a sample firewall script for protection of your ipv6 stuff:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
PUBIF=‘6tunnel’
ip6tables        -F
ip6tables        -X
ip6tables        -t mangle -F
ip6tables        -t mangle -X
# Allow everything on loopback.
ip6tables        -A INPUT -i lo -j ACCEPT
ip6tables        -A OUTPUT -o lo -j ACCEPT
ip6tables        -P INPUT DROP
ip6tables        -P OUTPUT DROP
ip6tables        -P FORWARD ACCEPT
# Accept only stuff incoming if there's a SYN in there.
# We really want ESTABLISHED, RELATED, but unfortunately that's not supported (yet) in ip6tables
ip6tables        -A INPUT -i $PUBIF -p tcp ! --syn -j ACCEPT
ip6tables        -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables        -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 80 -j ACCEPT # accept HTTP
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 22 -j ACCEPT # accept SSH
ip6tables         -A INPUT -i $PUBIF -p tcp --dport 25 -j ACCEPT # accept SMTP
ip6tables        -A INPUT -i br-lan -j ACCEPT
ip6tables        -A OUTPUT -o br-lan -j ACCEPT
ip6tables        -A INPUT -i $PUBIF -j LOG
ip6tables        -A INPUT -i $PUBIF -j DROP

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s