Well, together with the whole new world provided by IPv6.
The NAT’s based firewall as in IPv4 is no longer valid..

As my friend put it .. “upside down and inside out”.

So, the I had opted to custom ip6tables rules for at least allowing only certain
service port over the IPv6. (imagining if can mount NFS shared from somewhere via android.. 8-) )

# This is to block all packet to ipv6 but 
# open ping and some port 
# Device setting
INT=eth0
IV6=sit+
# Define service Port here
SSH=22
HTTP=80
# Turn on/off here
OPEN_ICMP=1
OPEN_TCP=1
OPEN_SSH=0
OPEN_HTTP=1
# Standard lib
# Define the Library here
ipt=/sbin/ip6tables
echo "Starting IPv6 Firewall.."
# clearing
echo ".. Flushing old-tables"
$ipt -F
$ipt -X
# NOW let's drop everything off the IPv6
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
# ACCEPT forward ?
$ipt -P FORWARD DROP
# ALLOW our INTERNAL IPv6 forwarding to outworld
$ipt -A FORWARD -i $INT -j ACCEPT
$ipt -A FORWARD -i $IV6 -j ACCEPT
# or OPEN it anyway if above failed
#$ipt -A FORWARD -j ACCEPT
# Allow full outgoing but no incoming
# This suppose to allow connection tracking
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -i $IV6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ALLOW ping (ICMPv6)
# 
if [ $OPEN_ICMP == 1 ]; then
 echo ".. Allowing PING  request"
 $ipt -A INPUT -p ipv6-icmp -j ACCEPT
 $ipt -A OUTPUT -p ipv6-icmp -j ACCEPT
fi
# OPEN certain port
if [ $OPEN_TCP == 1 ]; then
 echo ".. Allowing TCP request"
 # SSH
 if [ $OPEN_SSH == 1 ]; then
  echo "...  SSH"
  $ipt -A INPUT -p tcp --dport $SSH -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $SSH ! --syn -j ACCEPT
 fi
 # HTTP
 if [ $OPEN_HTTP == 1 ]; then
  echo "...  HTTP"
  $ipt -A INPUT -p tcp --dport $HTTP -j ACCEPT
  $ipt -A OUTPUT -p tcp --sport $HTTP ! --syn -j ACCEPT
 fi
fi
# BLOCK incoming TCP connection request 
# didn't work someow..
#$ipt -I INPUT -p tcp --syn -j DROP 
#$ipt -I FORWARD -p tcp --syn -j DROP 
echo "Started IPv6 Firewall.."

the above can be added to /etc/arno-iptables-firewall/customs if you already had
arno-iptables-firewall installed on the system..

I think it could be possible improved later…

Related posts:

  1. Setting up IPv6 network via TM Unifi on CentOS 5
  2. First attempt with ipv6 at home network
  3. How to become gateway using a linux OS
  4. MRTG and SNMP setup
  5. Adding IPv6 capabilities to Windows XP network interface