-p icmp ! -f --icmp-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
+run ip6tables -A FORWARD -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-request \
+ -m ipv6header --soft ! --header frag \
+ -m mark --mark $to_untrusted/$MASK_TO
+run ip6tables -A FORWARD -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-reply \
+ -m ipv6header --soft ! --header frag \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
-p tcp ! -f --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
+run ip6tables -A FORWARD -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m ipv6header --soft ! --header frag \
+ -m mark --mark $to_untrusted/$MASK_TO
+run ip6tables -A FORWARD -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m ipv6header --soft ! --header frag \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-run iptables -A inbound -j ACCEPT -p icmp
+run ip46tables -A inbound -j ACCEPT -p icmp
m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound
## Inspect inbound packets from untrusted sources.
-run iptables -A inbound -j forbidden
-run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
- run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+ run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done
m4_divert(-1)
~mdw / firewall / blobdiff