IPv6 Firewall Rules

I setup a Hurricane Electric tunnel to get my house on IPv6 (Verizon fails to deliver!) and was given a /64 allocation. I then setup a Router Advertisement daemon to get every computer online. Yippee!

But, there’s a problem…now every computer in my house is exposed to the wrath of the Internet. While the Network Discovery (ND) addresses are “random”, you can still intercept a client’s address through a variety of means. So I setup some basic IPv6 firewall rules to protect my clients.

Here is my script:


# Default policy, this happens in the end
ip6tables -P FORWARD DROP

# Accept SSH
ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT

# Accept everything locally
ip6tables -A FORWARD -i eth0 -o he-ipv6 -j ACCEPT

# Accept all ICMPv6, kinda necessary 
ip6tables -A FORWARD -i he-ipv6 -o eth0 -p icmpv6 -j ACCEPT

# Accept all stateful connections, that we didn't initiate
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Here is an explanation:

  1. The default FORWARD policy is to drop all packets
  2. I accept all forwarded packets on port 22 (SSH) – This is because I frequently ssh into my personal machine while on the road.
  3. I accept all ICMPv6 packets: First because I want to be able to test pingings and such, but also because its required by IPv6
  4. I accept all packets for a connection that my clients initiated. This means I can arbitrarily connect out, but others cannot arbitrarily connect in.

I tested this out and it worked! There, now my personal home printer is not online 🙂

Giving credit where credit is due, borrowed a lot from Fabio Firmware.