I setup a Hurricane Electric tunnel to get my house on IPv6 (Verizon fails to deliver!) and was given a /64 allocation. I then setup a Router Advertisement daemon to get every computer online. Yippee!
But, there’s a problem…now every computer in my house is exposed to the wrath of the Internet. While the Network Discovery (ND) addresses are “random”, you can still intercept a client’s address through a variety of means. So I setup some basic IPv6 firewall rules to protect my clients.
Here is my script:
#!/bin/bash # Default policy, this happens in the end ip6tables -P FORWARD DROP # Accept SSH ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT # Accept everything locally ip6tables -A FORWARD -i eth0 -o he-ipv6 -j ACCEPT # Accept all ICMPv6, kinda necessary ip6tables -A FORWARD -i he-ipv6 -o eth0 -p icmpv6 -j ACCEPT # Accept all stateful connections, that we didn't initiate ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Here is an explanation:
- The default FORWARD policy is to drop all packets
- I accept all forwarded packets on port 22 (SSH) – This is because I frequently ssh into my personal machine while on the road.
- I accept all ICMPv6 packets: First because I want to be able to test pingings and such, but also because its required by IPv6
- I accept all packets for a connection that my clients initiated. This means I can arbitrarily connect out, but others cannot arbitrarily connect in.
I tested this out and it worked! There, now my personal home printer is not online 🙂
Giving credit where credit is due, borrowed a lot from Fabio Firmware.