Firewall Rules for IPv6 on OpenWrt via Tunnels

etc_firewall.ipv6net.sh

#!/bin/ash

# Found on https://forum.openwrt.org/viewtopic.php?pid=135197

#
# Some important definitions used by this script.
# Only edit these in case something has changed and if you know
# what you are doing.
#
# IPT6:   path to the ip6tables binary
# IF:     name of the LAN interface (or bridge) where all the machines that need
#         IPv6 connectivity are connected
# SIXXS:  the name of the interface identifying the sixxs-tunnel
# PREFIX: The IPv6-Prefix of your network
IPT6="/usr/sbin/ip6tables"
IF="br-lan"
SIXXS="ipv6net"
PREFIX="2001:fb17:4d0d::/48"


#
# Host IP address definitions
#
# Here you can define all the ip addresses of hosts that need
# some kind of special configuration, like port forwarding.
# The default configuration is to allow all outgoing traffic
# and to disallow all incoming traffic including ICMP as such.
host_micron="2001:1234:5678:fefe:1234:5678:9abc:def0"


#
# All your custom rules should be placed inside the custom_rules() function
# below. This ensures that they are executed after all the default rules
# have been properly set.
#
custom_rules() {

  # Allow SSH access via port 22
  $IPT6 -A INPUT -i $SIXXS -p tcp --dport 22 -j ACCEPT

  # Allow OSPFv3
  $IPT6 -A INPUT -i $SIXXS -p ospf -j ACCEPT

  # Allow Access to port 80 and 22 on micron
  #$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 80 -d $host_micron -j ACCEPT
  #$IPT6 -A FORWARD -i $SIXXS -o $IF -p tcp --dport 22 -d $host_micron -j ACCEPT
}

#######################################################################
### DO NOT EDIT BELOW THIS LINE UNLESS YOU KNOW WHAT YOU ARE DOING! ###
#######################################################################
# Clean old firewall rules
$IPT6 -F
$IPT6 -X
# Clean old iptables v6 tables
for chain in mangle filter; do
$IPT6 -t $chain -F
$IPT6 -t $chain -X
done
# Set IPv6 default chains (drop everything)
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Allow already established transactions to pass without further checking
#$IPT6 -A INPUT -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A OUTPUT -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -i $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT6 -A FORWARD -o $IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow everything on the local link
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# Allow the localnet to access the router
$IPT6 -A INPUT -i $IF -j ACCEPT
$IPT6 -A OUTPUT -o $IF -j ACCEPT
# Allow anything out on the internet
$IPT6 -A OUTPUT -o $SIXXS -j ACCEPT
# Filter all packets that have RH0 headers
#$IPT6 -A INPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A OUTPUT -m rt --rt-type 0 -j DROP
#$IPT6 -A FORWARD -m rt --rt-type 0 -j DROP
# Allow ICMP from everywhere to router and hosts
# This still needs tweaking to disallow certain icmpv6 types (like ping)
# to reach hosts inside the subnet
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
$IPT6 -A OUTPUT -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -p icmpv6 -j ACCEPT

# Allow forwarding (outgoing)
$IPT6 -A FORWARD -m state --state NEW -i $IF -o $SIXXS -s $PREFIX -j ACCEPT
$IPT6 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Run custom rules defined above
custom_rules