After reading Doug’s “IPv6 for everyone” blog post my urge to setup IPv6 on my LAN was reignited.

Like Doug my providers (Comcast and CTI|Networks) do not provide IPv6 connectivity just yet. Luckily there is a good guide for my router on OpenWRT’s wiki titled “IPv6 howto“. I started by installing the required software and then heading over to SixXS to obtain an account for a IPv4 to IPv6 tunnel. However I ran into some issues with SixXS (which I will go into detail in another post), so I wondered over to go6. There I obtained an account and downloaded the ipkg for some additional software that they required by on my OpenWRT which I installed. After the installation I used openwrt’s webif web interface to provide it with my go6 username and password and the next page that came up said that the tunnel was connected!

Next I wanted to get a firewall setup for IPv6 so I started to read the man page for ip6tables. The most importation part was the one section that went over the major changes in ip6tables, it reads:

This ip6tables is very similar to ipchains by Rusty Russell. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respectively. Hence every packet only passes through one of the three chains; previously a forwarded packet would pass through all three.

The other main difference is that -i refers to the input interface; -o refers to the output interface, and both are available for packets entering the FORWARD chain. There are several other changes in ip6tables.

With that information in mind I created my firewall script and attempted to run it. It bombed on the ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT line with a message ip6tables v1.3.3: Couldn't load match `state':File not found. After some googling I found there was a bug submitted for this titled “Package kmod-ip6tables in brcm-2.4 lacks ip6t_state“. I toyed with the idea of trying the latest beta version of OpenWRT that is in beta (since it is based on the 2.6 kernel), but decided against it because it might have caused the go6 software to not function. Instead I am decided to make my firewall rules on my router as strict as possible, without IPv6 state rules, and also ensure than all IPv6 computers on the LAN also have firewalls running to take care of the IPv6 state rules.

Below is the IPv6 firewall script I came up with:

GO6=sit1
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

# IPv6

# Clear Old Rules
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Default policies
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# localhost rules
ip6tables -A INPUT -i $GO6 -p tcp --dport 22 -j ACCEPT #ssh
ip6tables -A INPUT -i $GO6 -p tcp --dport 0:1023 -j DROP
ip6tables -A INPUT -i $GO6 -p udp --dport 0:1023 -j DROP

# Allow access from certain ports and deny the rest
ip6tables -A FORWARD -i $GO6 -p tcp --dport 22 -j ACCEPT #ssh
ip6tables -A FORWARD -i $GO6 -p tcp --dport 0:1023 -j DROP
ip6tables -A FORWARD -i $GO6 -p udp --dport 0:1023 -j DROP

# Allow all traffic > 1023
ip6tables -A INPUT -i $GO6 -p tcp -j ACCEPT
ip6tables -A INPUT -i $GO6 -p udp -j ACCEPT
ip6tables -A FORWARD -i $GO6 -p tcp -j ACCEPT
ip6tables -A FORWARD -i $GO6 -p udp -j ACCEPT

# Allow all ICMP traffic
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT

# Allow outbound traffic
ip6tables -A FORWARD -i ! $GO6 -j ACCEPT

I am not happy with it all since it allows any traffic on port 1024 or above, but what can you do when it doesn’t support stateful connections.

Next I started radvd (a stateless auto config daemon), which magically enabled all my IPv6 devices to obtain internet routable addresses! With these new addresses I headed over to my zone files and added AAAA records.

Now I can rdp or ssh into any of my boxes from an IPv6 network without any port forwading rules!

P.S. “Everything you need to know about IPv6” is a really good to read as an introduction to IPv6.