ip6tables on OpenWRT
Shadow Hawkins on Monday, 13 December 2010 16:29:50
Hi,
Does anybody have an IPv6 firewall on OpenWRT Kamikaze up and running?
I have a WRT54GL with OpenWRT Kamikaze 8.09.1 (Linux 2.6.25.20) set up as Router/Firewall.
As far as I discovered there is neither the state module nor the frag module included (or I am unable to find/setup).
With the state Module I can easily allow answer packets. Without, I simulate it like this which is actually not the best:
ip6tables -N answers
ip6tables -A answers -p udp --dport 32768:60999 -j ACCEPT
ip6tables -A answers -p tcp ! --syn -j ACCEPT
ip6tables -A INPUT -j answers
ip6tables -A OUTPUT -j answers
ip6tables -A FORWARD -j accept
However, how do I allow fragments? As far as I discovered I need something like:
ip6tables -A FORWARD -m frag --more-frags -j ACCEPT
However, the frag module does not seem to be available on OpenWRT.
Is there any way to set up an IPv6 firewall though?
Regards,
Niki
ip6tables on OpenWRT
Shadow Hawkins on Wednesday, 15 December 2010 19:00:10
Why are you using so old version of OpenWrt?
Current release is Backfire 10.03, and there are also already rc-builds of its forthcoming interim release 10.03.1.
I installed 10.03.1-rc4 two weeks ago, and it has pretty good IPv6 support. And even built-in support for 6in4 tunnels (since rc3).
And ip6tables in 10.03.1-rc4 has at least "state" support, like my OpenWrt/SixXS config example tells: https://www.sixxs.net/forum/?msg=setup-3135937
You might update to 10.03.1-rc4 and see if the functionality matches your needs better.
ip6tables on OpenWRT
Shadow Hawkins on Tuesday, 21 December 2010 18:18:44
Thank you very much, this is a great tutorial!
However I am unable to setup on my WRT54GL because of limited space:
root@gate:~# opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables 6in4
Installing kmod-ipv6 (2.6.32.10-1) to root...
Installing radvd (1.6-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03/brcm47xx/packages/radvd_1.6-1_brcm47xx.ipk.
Installing kmod-ipv6 (2.6.32.10-1) to root...
Package ip (2.6.29-1-2) installed in root is up to date.
Installing kmod-ip6tables (2.6.32.10-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03/brcm47xx/packages/kmod-ip6tables_2.6.32.10-1_brcm47xx.ipk.
Installing kmod-ipv6 (2.6.32.10-1) to root...
Installing ip6tables (1.4.6-2) to root...
Downloading http://downloads.openwrt.org/backfire/10.03/brcm47xx/packages/ip6tables_1.4.6-2_brcm47xx.ipk.
Installing kmod-ip6tables (2.6.32.10-1) to root...
Configuring kmod-ip6tables.
Configuring ip6tables.
Collected errors:
* verify_pkg_installable: Only have 392kb available on filesystem /overlay, pkg kmod-ipv6 needs 472
* opkg_install_cmd: Cannot install package kmod-ipv6.
* verify_pkg_installable: Only have 392kb available on filesystem /overlay, pkg kmod-ipv6 needs 472
* opkg_install_cmd: Cannot install package radvd.
* verify_pkg_installable: Only have 392kb available on filesystem /overlay, pkg kmod-ipv6 needs 472
* opkg_install_cmd: Cannot install package kmod-ip6tables.
* opkg_install_cmd: Cannot install package 6in4.
It seems as if Backfire needs much more space than Kamikaze :-(
Regards,
Niki
ip6tables on OpenWRT
Shadow Hawkins on Tuesday, 21 December 2010 18:35:45
I think it is not old Kamikaze vs. Backfire, but the size of those modules in general. I saw some discussion about difficulties in getting the IPv6 modules to fit into routers with the smallest flash memory sizes.
That was one of the reasons why I upgraded last month from D-Link DIR-615 to the current Netgear WNDR3700, which has enough memory to package in much more modules, including the IPv6 support.
I built and compiled by myself a ready packaged OpenWrt Backfire SVN version with all the needed modules built-in, and the size of that package is 4.6 MB. I also compiled an version out of the even more feature-rich "development trunk", and that version has a size of 5.1 MB.
If you only have 4 MB flash RAM, I think that you are looking for trouble trying to get the modules to fit it.
Posting is only allowed when you are logged in. |