Last active
May 31, 2020 20:28
-
-
Save aaronjwood/05ecc1470be6095f4bd99909dc55ce10 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Default policy to drop all incoming packets. | |
| ip6tables -P INPUT DROP | |
| ip6tables -P FORWARD DROP | |
| # Accept incoming packets from localhost and LAN. | |
| ip6tables -A INPUT -i lo -j ACCEPT -m comment --comment "Accept incoming loopback" | |
| ip6tables -A INPUT -i $BRIDGE -j ACCEPT -m comment --comment "Accept incoming LAN" | |
| # Accept incoming packets from the WAN if the router initiated the connection. | |
| ip6tables -A INPUT -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept incoming established, related WAN" | |
| # Forward LAN packets to the WAN. | |
| ip6tables -A FORWARD -i $BRIDGE -o $WAN -j ACCEPT -m comment --comment "Forward LAN to WAN" | |
| # Forward WAN packets to the LAN if the LAN initiated the connection. | |
| ip6tables -A FORWARD -i $WAN -o $BRIDGE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Forward established, related WAN to LAN" | |
| # Allow ipv6-icmp. | |
| ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT -m comment --comment "Forward ICMPv6" | |
| ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "Accept incoming ICMPv6" | |
| # Allow DHCPv6. | |
| ip6tables -A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -m comment --comment "Accept incoming DHCPv6" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment