[TriLUG] Late night IPv6
Bill Farrow
bill at arrowsreach.com
Thu May 16 13:25:23 EDT 2013
On Thu, May 16, 2013 at 12:42 PM, Igor Partola <igor at igorpartola.com> wrote:
> it's hard to see why it's happening without seeing the actual rules. Could
> you send those on and we could figure this out? This might be good to
> outline for posterity as well, since I am sure you won't be the last person
> to try to get ip6tables to run on OpenWRT.
Here is my OpenWRT IPv6 default firwall table:
ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
syn_flood tcp anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
input_rule all anywhere anywhere
input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere state
RELATED,ESTABLISHED
forwarding_rule all anywhere anywhere
forward all anywhere anywhere
reject all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere
output all anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
zone_DMZ_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
Chain forwarding_DMZ (1 references)
target prot opt source destination
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
ACCEPT tcp anywhere anywhere
ACCEPT udp anywhere anywhere
ACCEPT tcp anywhere anywhere
ACCEPT udp anywhere anywhere
ACCEPT tcp anywhere anywhere
ACCEPT udp anywhere anywhere
zone_lan all anywhere anywhere
zone_wan all anywhere anywhere
zone_DMZ all anywhere anywhere
zone_wan all anywhere anywhere
Chain input_DMZ (1 references)
target prot opt source destination
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all anywhere anywhere
zone_wan_ACCEPT all anywhere anywhere
zone_DMZ_ACCEPT all anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (9 references)
target prot opt source destination
REJECT tcp anywhere anywhere
reject-with tcp-reset
REJECT all anywhere anywhere
reject-with icmp6-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere
Chain zone_DMZ (1 references)
target prot opt source destination
input_DMZ all anywhere anywhere
zone_DMZ_ACCEPT all anywhere anywhere
Chain zone_DMZ_ACCEPT (3 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_DMZ_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain zone_DMZ_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_DMZ_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all anywhere anywhere
forwarding_DMZ all anywhere anywhere
zone_DMZ_REJECT all anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all anywhere anywhere
zone_lan_ACCEPT all anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all anywhere anywhere
zone_DMZ_ACCEPT all anywhere anywhere
forwarding_lan all anywhere anywhere
zone_lan_REJECT all anywhere anywhere
Chain zone_wan (2 references)
target prot opt source destination
ACCEPT ipv6 anywhere anywhere
ACCEPT udp fe80::/10 fe80::/10 udp
spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp router-solicitation limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5
ACCEPT tcp anywhere anywhere tcp dpt:ssh
input_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere
Chain zone_wan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_wan_forward (2 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere
ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
forwarding_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere
More information about the TriLUG
mailing list