Enabling 6to4 with FireHOL

I use FireHOL as my iptables helper. FireHOL has proven very effective in managing complex set of rules, including multiple interfaces and protocols, “strong” protection against several types of attacks, and other stuff that would take me a huge amount of time to take care of. And, when it comes to security, analysis time is paralysis time.

However, FireHOL isn’t particularly aware of IPv6, rest alone tunneling techniques, such as Teredo or 6to4. 6to4 does encapsulate IPv6 traffic on top of IPv4 traffic to an anycast address (in most scenarios) and iptables does support protocol filtering using numeric code 41 which equals to ‘ipv6’.

A solution: create a new interface with matching rules to proto 41, and then set your restrictions accordingly:

interface eth0 6tunnel proto 41        # Example policy        policy accept        server all accept        client all accept

If you’re not using FireHOL, and rather some homebrew iptables script, you could always use -p 41

6to4 is a very effective way to start using IPv6 if you have an static, globally routeable IPv4 address. ifupdown provides a very elegant way of managing it, which is documented in Debian’s wiki.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s