I have also a debian based "border router". It connects to my ISP (IPv4 only) with PPP/dynamic address and also terminates the sixxs tunnel and uses radvd for the internal IPv6 adresses, dhcp for the internal IPv4 adresses. Please see my slightly edited iptables script. Of course, you will have to adjust the specific addresses of your local network (IPv4 and IPv6), your specific sixxs pop etc. And ymmv! ######################################################### #!/bin/bash # 1 clear all rules # 2 set the defaults for all rules # 3 drop unwanted packets # 4 allow ICMP # 5 all local addresses # 6 all 6over4 tunnel rules # dns, ntp, tic, heartbeat, tunnel protocol (41) # 7 all locally originated communications # ssh, http (for updates) # 8 all locally offered services # dhcp, ssh # 9 all outbound routing # NAT for IPv4 # stateful for IPv6 # 10 inbound routing # port forwarding for internal boxes for IPv4 echo "Configuring IP Filter..." IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables INSIDE=192.168.1.0/24 INSIDE6=2001:0db8:85a3:0::/64 INSIDE_IF=eth0 OUTSIDE_IF=ppp0 OUTSIDE_IF6=sixxs # from "dig tic.sixxs.net" all "A"-records TIC_SERVERS="213.204.193.2 193.109.122.244" # from "dig chzrh01.sixxs.net", A record SIX_POP=194.1.163.40 ######################################## # enable routing ######################################## echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done echo 1 > /proc/sys/net/ipv6/conf/all/forwarding ######################################## # 1 clear all rules ######################################## $IPTABLES -t filter -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # delete all user chains $IPTABLES -X $IP6TABLES -F INPUT $IP6TABLES -F OUTPUT $IP6TABLES -F FORWARD $IP6TABLES -F ######################################## # 2 set the defaults for all rules # action for packets falling off the end of the chain ######################################## # table: filter $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P FORWARD DROP $IPTABLES -t filter -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P OUTPUT DROP $IP6TABLES -P FORWARD DROP # table: nat $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # table: mangle $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT ######################################## # 3 drop unwanted packets ######################################## # drop source routed packages # probably disabled already by /proc/sys/net/ipv6/conf/all/accept_source_route $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP ######################################## # 4 allow ICMP ######################################## # for IPv4, the FORWARD target is only needed when more than one internal # network is in use $IPTABLES -t filter -A INPUT -p icmp -j ACCEPT $IPTABLES -t filter -A OUTPUT -p icmp -j ACCEPT $IPTABLES -t filter -A FORWARD -p icmp -j ACCEPT $IP6TABLES -A INPUT -p icmpv6 -j ACCEPT $IP6TABLES -A OUTPUT -p icmpv6 -j ACCEPT $IP6TABLES -A FORWARD -p icmpv6 -j ACCEPT ######################################## # 5 all local addresses ######################################## # loopback $IPTABLES -t filter -A INPUT -d 127.0.0.1 -j ACCEPT $IPTABLES -t filter -A OUTPUT -d 127.0.0.1 -j ACCEPT # loopback $IP6TABLES -A INPUT -d ::1/128 -j ACCEPT $IP6TABLES -A OUTPUT -d ::1/128 -j ACCEPT # Link-Local addresses $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT # multicast $IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT $IP6TABLES -A OUTPUT -s ff00::/8 -j ACCEPT ######################################## # 6 all 6over4 tunnel rules # dns, ntp, tic, heartbeat, tunnel protocol (41) ######################################## # locally originated dns-packets $IPTABLES -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t filter -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # stateless ntp-packets with identical source and dest port $IPTABLES -t filter -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT $IPTABLES -t filter -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT # allow ntp-packets with only fixed dest port from localhost $IPTABLES -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT $IPTABLES -t filter -A INPUT -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT # TIC (tunnel information & control) packages, from/to tic.sixxs.net for SERVER in $TIC_SERVERS do $IPTABLES -t filter -A OUTPUT -p tcp --destination $SERVER --dport 3874 -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --source $SERVER --sport 3874 -m state --state ESTABLISHED,RELATED -j ACCEPT done # heartbeat packets (outgoing only) $IPTABLES -t filter -A OUTPUT -p udp --destination $SIX_POP --dport 3740 -j ACCEPT # 6over4 tunnel packets $IPTABLES -t filter -A OUTPUT -p 41 --destination $SIX_POP -j ACCEPT $IPTABLES -t filter -A INPUT -p 41 --source $SIX_POP -j ACCEPT ######################################## # 7 all locally originated communications # ssh, http (for updates) ######################################## # ssh $IPTABLES -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT $IP6TABLES -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # http $IPTABLES -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT $IP6TABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT ######################################## # 8 all locally offered services # dhcp, ssh ######################################## # dhcp: queries from 68 to 67, answers from 67 to 68 $IPTABLES -t filter -A INPUT -i $INSIDE_IF -p udp --sport 68 --dport 67 -j ACCEPT $IPTABLES -t filter -A OUTPUT -o $INSIDE_IF -p udp --sport 67 --dport 68 -j ACCEPT # local ssh on port 2222 $IPTABLES -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT $IPTABLES -t filter -A OUTPUT -p tcp --sport 2222 -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT $IP6TABLES -t filter -A OUTPUT -p tcp --sport 2222 -m state --state ESTABLISHED,RELATED -j ACCEPT ######################################## # 9 all outbound routing # NAT for IPv4 # stateful for IPv6 ######################################## $IPTABLES -t nat -A POSTROUTING -s $INSIDE -o $OUTSIDE_IF -j MASQUERADE $IPTABLES -t filter -A FORWARD -s $INSIDE -j ACCEPT $IPTABLES -t filter -A FORWARD -d $INSIDE -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD --source $INSIDE6 -j ACCEPT $IP6TABLES -A FORWARD --destination $INSIDE6 -m state --state ESTABLISHED,RELATED -j ACCEPT ######################################## # 10 inbound routing # port forwarding for internal boxes for IPv4 ######################################## # portmap outside 55555 to myhost:22 $IPTABLES -t nat -A PREROUTING -i $OUTSIDE_IF -p tcp --dport 55555 -j DNAT --to 192.168.1.11:22 $IPTABLES -t filter -A FORWARD -i $OUTSIDE_IF -p tcp -d 192.168.1.11 --dport 22 -j ACCEPT #These rules should be the last rules, they log just before packages are dropped by default $IPTABLES -t filter -A INPUT -j LOG --log-prefix "INPUT " $IPTABLES -t filter -A OUTPUT -j LOG --log-prefix "OUTPUT " $IPTABLES -t filter -A FORWARD -j LOG --log-prefix "FORWARD " $IP6TABLES -A INPUT -j LOG --log-prefix "INPUT6 " $IP6TABLES -A OUTPUT -j LOG --log-prefix "OUTPUT6 " $IP6TABLES -A FORWARD -j LOG --log-prefix "FORWARD6 "