[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] dhcp6, radvd, ip6tables, etc. (update)



On Tue, 30 Oct 2012, Gene Czarcinski wrote:

1. dhcpv6 solicit:  from=fe80::client:546  to=ff02::1:2:547
2. dhcpv6 advertise:  from=fe80::server:547  to=fe80::client:546
3. dhcpv6 request:  from=fe80::client:546  to=ff02::1:2:547
4. dhcpv6 reply:  from=fe80::server:547  to=fe80::client:546

I think the rules you want are these (we use the symbolic names for the packet sub-type as it makes things clearer)

# /etc/sysconfig/ip6tables
# ... -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
	-s $IP6SERVER -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
	-j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# ...

I do not know that you need to filter or attempt to direct 'router-solicitation' as your comments mentioned. We have not had a 'real world' need to do so. We run a variation of these rules at pmman

from: man 8 ip6tables

   icmp6
       This extension can be used  if  ‘--protocol  ipv6-icmp’  or
       ‘--protocol icmpv6’ is specified. It provides the following
       option:

       [!] --icmpv6-type type[/code]|typename
              This allows specification of the ICMPv6 type,  which
              can  be a numeric ICMPv6 type, type and code, or one
              of the ICMPv6 type names shown by the command
               ip6tables -p ipv6-icmp -h

-- Russ herrold


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]