This example shows how to set up a 3 way firewall using a tunnel to HE, two /64 subnets and a /48 address allocation from HE.
The private network is for client PC's. The DMZ network is for servers, and the Tunnel interface is for a tunnel to the HE tunnel broker.
The way this is set up is to allow hosts on the private network to get to the IPV6 internet, or to the server DMZ. Hosts on server DMZ
can get to the IPV6 Internet, but not to the Private network. Incoming connections from HE have to be established or related.
Note: Please make sure your kernel is > 2.6.20 or the stateful firewall will not work correctly.
Script follows:
#!/bin/bash
# Tunnel Interface
TUNIF=he-ipv6
# DMZ interface (Where servers live)
DMZIF=eth1
# Private interface ( Where PC's in the house live)
PRIVIF=eth0
# Clean Start
ip6tables -F
# Default Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -j ACCEPT
#Allow unrestricted access on private network
ip6tables -A INPUT -i $PRIVIF -j ACCEPT
# Allow restricted incoming connections
ip6tables -A INPUT -i $TUNIF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow icmp, but throttle it.
ip6tables -A INPUT -j ACCEPT -p ipv6-icmp --match limit --limit 50/minute
# Allow SSH on port x (disabled in this example)
#ip6tables -A INPUT -i $TUNIF -p tcp --dport x -j ACCEPT
# IPV6 FORWARDING RULES
ip6tables -A FORWARD -i $PRIVIF -o $TUNIF -j ACCEPT
ip6tables -A FORWARD -i $TUNIF -o $PRIVIF -p ipv6-icmp --match limit --limit 50/minute -j ACCEPT
ip6tables -A FORWARD -i $TUNIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i $DMZIF -o $PRIVIF -p ipv6-icmp --match limit --limit 50/minute -j ACCEPT
ip6tables -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT
ip6tables -A FORWARD -i $TUNIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i $DMZIF -o $TUNIF -j ACCEPT