Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # IPv6 bridge
- ebtables -t broute -A BROUTING -i eth0 -p ! ipv6 -j DROP
- brctl addif br0 eth0
- # enable IPv6 on eth0
- echo 0 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
- echo 2 > /proc/sys/net/ipv6/conf/eth0/accept_dad
- echo 2 > /proc/sys/net/ipv6/conf/eth0/dad_transmits
- echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra
- echo 0 > /proc/sys/net/ipv6/conf/eth0/forwarding
- # see lan.c config_ipv6
- echo 0 > /proc/sys/net/ipv6/conf/br0/disable_ipv6
- echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
- echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
- echo 2 > /proc/sys/net/ipv6/conf/br0/accept_dad
- echo 2 > /proc/sys/net/ipv6/conf/br0/dad_transmits
- # set_default_accept_ra
- echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
- echo 1 > /proc/sys/net/ipv6/conf/default/accept_ra
- echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
- # Allow router get IPv6 Address
- # When user disable IPv6, system will set ip6tables ALL policy to DROP
- # wait after that, then set our firewall
- sleep 10
- # set up firewall
- ip6tables -P INPUT ACCEPT
- ip6tables -P OUTPUT ACCEPT
- ip6tables -A OUTPUT -p tcp -j ACCEPT
- ip6tables -A OUTPUT -p udp -j ACCEPT
- # input rules
- ip6tables -A INPUT -p ipv6-crypt -j ACCEPT
- ip6tables -A INPUT -p ipv6-auth -j ACCEPT
- ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ip6tables -A INPUT -m state --state NEW -j ACCEPT
- ip6tables -A INPUT -m state --state INVALID -j DROP
- # allow DHCPv6
- ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
- ip6tables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
- ip6tables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
- # allow ipv6-icmp related packet
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type packet-too-big -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type time-exceeded -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type parameter-problem -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-solicitation -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-solicitation -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type neighbour-advertisement -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
- ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
- ip6tables -A INPUT -j DROP
- # Start DHCPv6 for LAN on br0
- # In my enviroment, IPv6 address spwan from a DHCPv6 server
- odhcp6c -df -R -s /tmp/dhcp6c -N try -c yordeviceID -r23 -r24 -r82 -r83 br0
- # get the paramter of odhcp6c using `ps | grep odhcp6c`
Add Comment
Please, Sign In to add comment