0

I thought to have a simple ipv6 firewall, but it turned out to be hell. Somehow I really can't connect with any ipv6 from my machine unless I set INPUT Policy to ACCEPT. Below my current ip6tables

ip6tables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:http
ACCEPT     tcp      anywhere             anywhere           tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I try to connect with any ipv6 adres it doesn't work?

telnet gdata.youtube.com 80
Trying 2a00:1450:4013:c00::76...

OR

telnet gdata.youtube.com 443
Trying 2a00:1450:4013:c00::76...

When I set:

ip6tables -P INPUT ACCEPT

It works.. but then.. well then everything is open? what is going on? Help?

klaas
  • 1
  • 3

1 Answers1

1

You're probably missing the critical "stateful" rule:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You are also missing a rule to accept ICMPv6. Without ICMPv6, IPv6 simply does not function.

-A INPUT -p ipv6-icmp -j ACCEPT

For performance reasons, this should be among the earliest rules in your chain.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Noope that did not work.. i flushed the input rules and first added your rule: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT – klaas Aug 31 '12 at 08:57
  • Oops, I forgot something. See the updated answer. – Michael Hampton Aug 31 '12 at 09:16
  • i updated my post in the top, but no result... i did both the things you mention, you can see the ip6tables -L in the top – klaas Aug 31 '12 at 09:29