own3mall DD-WRT Novice
Joined: 26 Jul 2014 Posts: 31
|
Posted: Sun Dec 31, 2023 6:34 Post subject: |
|
Here's what I have currently. IPv6 works on the router itself, but not a LAN client. Any idea what's missing from this firewall script?
Code: |
#!/bin/sh
WANIP=$(nvram get wan_ipaddr)
if [ -n "$WANIP" ]
then
insmod /lib/modules/`uname -r`/ipv6.ko
insmod /lib/modules/`uname -r`/tunnel4.ko
insmod /lib/modules/`uname -r`/ip_tunnel.ko
insmod /lib/modules/`uname -r`/sit.ko
sleep 3
HOST6RD=205.171.2.64
V6PREFIX=$(printf ' 2602:%02x:%02x%02x:%02x00' $(echo $WANIP | tr . ' '))
ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP
ip link set tun6rd mtu 1280
ip link set tun6rd up
ip addr add $V6PREFIX:0::1/24 dev tun6rd
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::$HOST6RD dev tun6rd
kill -15 $(cat /var/run/radvd.pid)
echo "interface br0 { \
MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1280; AdvSendAdvert on; \
prefix $V6PREFIX::/64 { AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; \
AdvPreferredLifetime 86400; }; };" \
> /tmp/radvd.conf
radvd -C /tmp/radvd.conf start
###Firewall###
insmod /lib/modules/`uname -r`/ip6_tables.ko
insmod /lib/modules/`uname -r`/ip6table_filter.ko
insmod /lib/modules/`uname -r`/nf_defrag_ipv6.ko
insmod /lib/modules/`uname -r`/nf_conntrack_ipv6.ko
# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -X
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -o tun6rd -s 2602::/24 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2602::/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2602::/24 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2602::/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j ACCEPT
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi
|
I'm running DD-WRT v3.0-r51043 std (12/19/22) fyi |
|
own3mall DD-WRT Novice
Joined: 26 Jul 2014 Posts: 31
|
Posted: Sun Dec 31, 2023 7:44 Post subject: |
|
For some reason, vlan2 isn't getting an IPv6 address / assignment. Is my firewall script missing something?
Code: |
ifconfig
aux0 Link encap:Ethernet HWaddr D8:EB:97:AF:95:55
inet6 addr: fe80::daeb:97ff:feaf:9555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:908 (908.0 B)
Interrupt:179 Base address:0x4000
br0 Link encap:Ethernet HWaddr D8:EB:97:AF:95:57
inet addr:192.168.40.23 Bcast:192.168.40.255 Mask:255.255.255.0
inet6 addr: fe80::daeb:97ff:feaf:9557/64 Scope:Link
inet6 addr: 2602:4b:a38e:a00:1::1/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5057 errors:0 dropped:4 overruns:0 frame:0
TX packets:1782 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:562886 (549.6 KiB) TX bytes:798700 (779.9 KiB)
br1 Link encap:Ethernet HWaddr D8:EB:97:AF:95:57
inet addr:192.168.16.30 Bcast:192.168.16.255 Mask:255.255.255.0
inet6 addr: fe80::1c58:e1ff:fee5:47f1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49 errors:0 dropped:4 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4768 (4.6 KiB) TX bytes:9223 (9.0 KiB)
br2 Link encap:Ethernet HWaddr D8:EB:97:AF:95:57
inet addr:192.168.14.30 Bcast:192.168.14.255 Mask:255.255.255.0
inet6 addr: fe80::107c:e0ff:fe09:36a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:396 errors:0 dropped:8 overruns:0 frame:0
TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47788 (46.6 KiB) TX bytes:32481 (31.7 KiB)
br3 Link encap:Ethernet HWaddr D8:EB:97:AF:95:57
inet addr:192.168.2.45 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::c0fe:cbff:fe79:b9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3196 errors:0 dropped:6 overruns:0 frame:0
TX packets:5991 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:395637 (386.3 KiB) TX bytes:1635426 (1.5 MiB)
eth0 Link encap:Ethernet HWaddr D8:EB:97:AF:95:55
inet6 addr: fe80::daeb:97ff:feaf:9555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16098 errors:0 dropped:0 overruns:0 frame:0
TX packets:15445 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4705187 (4.4 MiB) TX bytes:3606818 (3.4 MiB)
Interrupt:181 Base address:0x6000
eth1 Link encap:Ethernet HWaddr D8:EB:97:AF:95:57
inet6 addr: fe80::daeb:97ff:feaf:9557/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1463 errors:0 dropped:0 overruns:0 frame:1944
TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:335393 (327.5 KiB) TX bytes:276344 (269.8 KiB)
Interrupt:163
eth2 Link encap:Ethernet HWaddr D8:EB:97:AF:95:6A
inet6 addr: fe80::daeb:97ff:feaf:956a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:452
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:169
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:3260 (3.1 KiB) TX bytes:3260 (3.1 KiB)
tun6rd Link encap:IPv6-in-IPv4
inet6 addr: ::4ba3:8e0a/96 Scope:Compat
inet6 addr: 2602:4b:a38e:a00::1/24 Scope:Global
inet6 addr: 2602:4b:a38e:a00::1/24 Scope:Global
UP RUNNING NOARP MTU:1280 Metric:1
RX packets:151 errors:0 dropped:0 overruns:0 frame:0
TX packets:251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:17674 (17.2 KiB) TX bytes:27141 (26.5 KiB)
vlan1 Link encap:Ethernet HWaddr D8:EB:97:AF:95:55
inet6 addr: fe80::daeb:97ff:feaf:9555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3137 errors:0 dropped:0 overruns:0 frame:0
TX packets:2638 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:334214 (326.3 KiB) TX bytes:839865 (820.1 KiB)
vlan2 Link encap:Ethernet HWaddr 00:A7:4F:52:6B:43
inet addr:{REMOVED} Bcast:75.163.159.255 Mask:255.255.224.0
inet6 addr: fe80::2a7:4fff:fe52:6b43/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9207 errors:0 dropped:0 overruns:0 frame:0
TX packets:6655 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3530498 (3.3 MiB) TX bytes:1059126 (1.0 MiB)
vlan3 Link encap:Ethernet HWaddr D8:EB:97:AF:95:55
inet6 addr: fe80::daeb:97ff:feaf:9555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3754 errors:0 dropped:0 overruns:0 frame:0
TX packets:6142 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:536977 (524.3 KiB) TX bytes:1648923 (1.5 MiB)
wl0.1 Link encap:Ethernet HWaddr DA:EB:97:AF:95:58
inet6 addr: fe80::d8eb:97ff:feaf:9558/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:186 errors:0 dropped:0 overruns:0 frame:1944
TX packets:199 errors:5 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14990 (14.6 KiB) TX bytes:19837 (19.3 KiB)
wl0.2 Link encap:Ethernet HWaddr DA:EB:97:AF:95:59
inet6 addr: fe80::d8eb:97ff:feaf:9559/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:874 errors:0 dropped:1 overruns:0 frame:1944
TX packets:738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:116862 (114.1 KiB) TX bytes:159218 (155.4 KiB)
wl0.3 Link encap:Ethernet HWaddr DA:EB:97:AF:95:5A
inet6 addr: fe80::d8eb:97ff:feaf:955a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:795 errors:0 dropped:0 overruns:0 frame:1944
TX packets:1849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69314 (67.6 KiB) TX bytes:1651802 (1.5 MiB)
wl1.1 Link encap:Ethernet HWaddr DA:EB:97:AF:95:6B
inet6 addr: fe80::d8eb:97ff:feaf:956b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:452
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wl1.2 Link encap:Ethernet HWaddr DA:EB:97:AF:95:6C
inet6 addr: fe80::d8eb:97ff:feaf:956c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:452
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wl1.3 Link encap:Ethernet HWaddr DA:EB:97:AF:95:6D
inet6 addr: fe80::d8eb:97ff:feaf:956d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:452
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
|
My Windows client does get an IPv6 address, but it is unable to ping -6 anything...
Code: |
Ethernet adapter Local Area Connection 10:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
Physical Address. . . . . . . . . : 70-55-C2-71-44-A8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2602::748e:6bdb:4553:d402(Preferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a382:8800:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a388:3a00:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a388:8100:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a38e:a00:748e:6bdb:4553:d402(Pref
erred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a394:c00:748e:6bdb:4553:d402(Pref
erred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a397:4b00:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a39d:7b00:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a39f:f600:748e:6bdb:4553:d402(Pre
ferred)
IPv6 Address. . . . . . . . . . . : 2602:4b:a3b9:a00:748e:6bdb:4553:d402(Pref
erred)
Temporary IPv6 Address. . . . . . : 2602::a5cd:5250:24dd:299f(Preferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a382:8800:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a388:3a00:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a388:8100:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a38e:a00:a5cd:5250:24dd:299f(Pref
erred)
Temporary IPv6 Address. . . . . . : 2602:4b:a394:c00:a5cd:5250:24dd:299f(Pref
erred)
Temporary IPv6 Address. . . . . . : 2602:4b:a397:4b00:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a39d:7b00:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a39f:f600:a5cd:5250:24dd:299f(Pre
ferred)
Temporary IPv6 Address. . . . . . : 2602:4b:a3b9:a00:a5cd:5250:24dd:299f(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::748e:6bdb:4553:d402%16(Preferred)
|
|
|
own3mall DD-WRT Novice
Joined: 26 Jul 2014 Posts: 31
|
Posted: Sun Dec 31, 2023 19:57 Post subject: |
|
I also modified JAMESMTL script to use grep -E rather than egrep since I don't have the egrep command available in my image of DD-WRT, but this still doesn't work:
Code: |
#!/bin/sh
# Generic 6rd / 6in4 / 6TO4 script by JAMESMTL rev. 2016-04-03A
###############################
# Start user config
###############################
# Type of 6rd service (DHCP=6rd DHCP option 212, MANUAL=Static 6rd, 6IN4=6in4, 6TO4=6to4)
IPV6_TYPE=MANUAL
IPV6_MTU=1280
# Use radvd
USE_RADVD=ON
IPV6_RDNSS="2600:1621:1::c:1 2600:1621:1::c:2 2600:1621:1::c:3"
RADVD_SLAAC=ON
RADVD_RA_EXPIRE=1800
RADVD_DNS_EXPIRE=300
# Use dnsmasq
USE_DNSMASQ=OFF
DNSMASQ_RA_OPTIONS=
DNSMASQ_RA_BCAST=10
DNSMASQ_RA_EXPIRE=1800
DNSMASQ_DNS_EXPIRE=300
DNSMASQ_START=1000
DNSMASQ_END=FFFF
DNSMASQ_HOSTS=
# Set IPv6 prefixes for interfaces (ex.br0,wl1.1,wl1.2 or leave blank for auto)
IPV6_IFS=
# MANUAL 6rd settings
IP6RD_REMOTE=205.171.2.64
IP6RD_PREFIX=2602::
IP6RD_PREFEIX_SIZE=24
IP6RD_MASK_LENGTH=0
# 6in4 settings
IP6IN4_PREFIX=2001:AAAA:AAAA::
IP6IN4_PREFIX_SIZE=48
IP6IN4_REMOTE=209.51.161.14
IP6IN4_CLIENT_IP=2001:BBBB:BBBB:BBBB::2
IP6IN4_CLIENT_IP_PREFIX_SIZE=64
# DDNS
USE_DDNS=OFF
DDNS_USERNAME=
DDNS_PASSWORD=yourpassword
DDNS_DOMAIN=yourdomain.com
DDNS_UPDATE_DAYS=10
DDNS_REQUEST="http://dyn.dns.he.net/nic/update?hostname={DDNS_HOST}&password={DDNS_PASSWORD}&myip={DDNS_IPV6}"
DDNS_CACHE_PATH=/jffs/etc/ddns
DDNS_AGENT=ddwrt-script
###############################
# End user config
###############################
DATEFMT="+%a %b %d %Y %T %Z"
IP6TUN=ip6tun
echo 1 > /proc/sys/net/ipv6/conf/vlan2/accept_ra
lsmod | grep -q ip6table_mangle || insmod ip6table_mangle.ko
hex2bin() {
echo $1 | tr '[a-z]' '[A-Z]' | sed 's/://g' | sed 's/.\B/&\n/g' | {
buf=""
while read char
do
case "$char" in
0) buf="${buf}0000" ;;
1) buf="${buf}0001" ;;
2) buf="${buf}0010" ;;
3) buf="${buf}0011" ;;
4) buf="${buf}0100" ;;
5) buf="${buf}0101" ;;
6) buf="${buf}0110" ;;
7) buf="${buf}0111" ;;
8) buf="${buf}1000" ;;
9) buf="${buf}1001" ;;
A) buf="${buf}1010" ;;
B) buf="${buf}1011" ;;
C) buf="${buf}1100" ;;
D) buf="${buf}1101" ;;
E) buf="${buf}1110" ;;
F) buf="${buf}1111" ;;
esac
done
echo $buf
}
}
bin2hex() {
echo $1 | sed 's/....\B/&\n/g' | {
buf=""
while read char
do
case "$char" in
0000) buf="${buf}0" ;;
0001) buf="${buf}1" ;;
0010) buf="${buf}2" ;;
0011) buf="${buf}3" ;;
0100) buf="${buf}4" ;;
0101) buf="${buf}5" ;;
0110) buf="${buf}6" ;;
0111) buf="${buf}7" ;;
1000) buf="${buf}8" ;;
1001) buf="${buf}9" ;;
1010) buf="${buf}A" ;;
1011) buf="${buf}B" ;;
1100) buf="${buf}C" ;;
1101) buf="${buf}D" ;;
1110) buf="${buf}E" ;;
1111) buf="${buf}F" ;;
esac
done
echo $buf
}
}
expandip () {
ipv6address=$(echo $1 | sed -e :a -e 's/\b[0-9A-F]\{1,3\}\b/0&/gI;ta')
postsegments=$(echo $ipv6address | awk -F'::' '{print $2}' | awk -F ':' '{print NF}')
expandedipv6=$(echo $ipv6address | awk -F'::' '{print $1}' | sed 's/://g')
expandedipv6=$(echo $expandedipv6 | sed -e :a -e 's/^[0-9A-F]\{1,'$(((8 - $postsegments) * 4 - 1))'\}$/&0/gI;ta')
expandedipv6=$expandedipv6$(echo $ipv6address | awk -F'::' '{print $2}' | sed 's/://g')
echo $expandedipv6 | sed 's/....\B/&:/g'
}
makeprefix () {
if [ $(($2 % 4)) -ne 0 ] ; then
prefix=$(echo $1 | cut -c 0-$(($2 / 4 + 1)))
else
prefix=$(echo $1 | cut -c 0-$(($2 / 4)))
fi
if [ $(($2 % 16)) -ne 0 ] ; then
prefix=$(echo $prefix | sed -e :a -e 's/^[0-9A-F]\{1,'$((($2 / 16 + 1) * 16 / 4 - 1))'\}$/&0/gI;ta')
fi
echo $prefix | sed 's/....\B/&:/g' | sed 's/\:0\{1,3\}/:/g'
}
maketunnel () {
if [ -n "$(ifconfig | grep $IP6TUN)" ]; then
ip tunnel del $IP6TUN
fi
ip tunnel add $IP6TUN mode sit ttl 64 local $(nvram get wan_ipaddr) remote $ipv4remote
ip link set $IP6TUN mtu $IPV6_MTU
ip link set $IP6TUN up
if [ $IPV6_TYPE = "6IN4" ]; then
ip -6 addr add ${IP6IN4_CLIENT_IP}/${IP6IN4_CLIENT_IP_PREFIX_SIZE} dev $IP6TUN
else
ip -6 addr add ${tunnel_prefix}::2/${ipv6prefixlen} dev $IP6TUN
fi
if [ $IPV6_TYPE = "6TO4" ]; then
ip -6 route add 2000::/3 via ::192.88.99.1 dev $IP6TUN
else
ip -6 route add 2000::/3 dev $IP6TUN
fi
}
assignprefixes () {
ifconfig | grep -E 'br[0-9] |wl|vlan([2-9]|1[0-5])' | awk '{ print $1 }' | while read IPV6_IF; do
for ipv6 in $(ifconfig $IPV6_IF | grep Global | awk '{ print $3 }'); do
ip addr del $ipv6 dev $IPV6_IF
done
done
loop=0
echo $IPV6_IFS | sed 's/[ |,]/\n/g' | while read IPV6_IF; do
if [ -n "$(ifconfig | grep $IPV6_IF)" ]; then
if [ $client_prefix_length -lt 63 ];then
bin_if=$(echo $(hex2bin $(printf '%x\n' $loop)) | sed 's/^0\{1,4\}//g' | sed -e :a -e 's/^[0-1]\{1,'$((64 - client_prefix_length -1))'\}$/0&/g;ta')
else
bin_if=$(echo $(hex2bin $(printf '%x\n' $loop)) | sed 's/^0\{1,4\}//g')
fi
if [ $IPV6_TYPE = "6IN4" ]; then
bin_if_prefix=$(echo $bin_ipv6prefix$bin_if | sed -e :a -e 's/^[0-1]\{1,127\}$/&0/g;ta')
else
bin_if_prefix=$(echo $bin_ipv6prefix$bin_wanip$bin_if | sed -e :a -e 's/^[0-1]\{1,127\}$/&0/g;ta')
fi
if_prefix=$(makeprefix $(bin2hex $bin_if_prefix) 64)
ip -6 addr add ${if_prefix}::1/64 dev $IPV6_IF
echo $IPV6_MTU > /proc/sys/net/ipv6/conf/$IPV6_IF/mtu
loop=$((loop + 1))
if [ $max_prefixes -eq $loop ]; then
exit
fi
fi
done
}
ipv6firewall () {
if [ $USE_DNSMASQ == "on" ]; then
br0_prefix=$(makeprefix $(echo $(expandip $(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F '/' '{ print $1 }')) | sed 's/://g') 64)
if [ -f /tmp/ip6tables.ports ]; then
rm /tmp/ip6tables.ports
fi
grep '\[.*\]' $DNSMASQ_HOSTS | grep -i set: | while read line; do
host_ip=$(echo $line | sed 's/^.*\[\(.*\)\].*/\1/')
echo $line | sed 's/,/\n/g' | while read param; do
if [ -n "$(echo $param | awk -F 'set:' '{ print $2 }')" ]; then
proto=$(echo $param | awk -F 'set:' '{ print $2 }' | awk -F '-' '{ print $1 }')
port=$(echo $param | awk -F 'set:' '{ print $2 }' | awk -F '-' '{ print $2 }')
if [ $proto == "tcp" -o $proto == "udp" ]; then
echo ip6tables -A FORWARD -d $(expandip ${br0_prefix}${host_ip}) -p $proto --dport $port -j ACCEPT >> /tmp/ip6tables.ports
fi
fi
done
done
fi
ip6tables -F
ip6tables -X icmpv6-filter
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -j ACCEPT
ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
if ! lsmod | grep -q ip6table_mangle; then
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -N icmpv6-filter
ip6tables -A FORWARD -p icmpv6 -j icmpv6-filter
ip6tables -A FORWARD -o $IP6TUN -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Permit IPv6 acccess to router from OpenVPN tunnel users
ip6tables -A INPUT -i tun+ -j ACCEPT
ifconfig | grep -E 'wl|vlan([2-9]|1[0-5])|br[1-9] ' | awk '{ print $1 }' | while read interfaces; do
if [ -n "$(ifconfig $interfaces | grep Global)" ]; then
ip6tables -A INPUT -i $interfaces -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -i $interfaces -p udp --dport 547 -j ACCEPT
fi
done
# Remote access rules ex. http, rdp, etc
# ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
if [ -f /tmp/ip6tables.ports ]; then
sh /tmp/ip6tables.ports
fi
# Permit IPv6 access to LAN from OpenVPN tunnel users
ip6tables -A FORWARD -i tun+ -o br0 -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j DROP
if lsmod | grep -q ip6table_mangle; then
ip6tables -t mangle -F
ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 --icmpv6-type echo-reply -j DROP
ip6tables -A icmpv6-filter -m state -p icmpv6 -i $IP6TUN --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 -i $IP6TUN --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 -i $IP6TUN --state ESTABLISHED,RELATED --icmpv6-type ttl-zero-during-transit -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -i $IP6TUN --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type ttl-zero-during-transit -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 -i $IP6TUN --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 -i $IP6TUN --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type unknown-header-type -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -o $IP6TUN --icmpv6-type unknown-option -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type bad-header -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -j DROP
}
startradvd () {
if [ -f /tmp/radvd.conf ]; then
rm /tmp/radvd.conf
fi
loop=0
echo $IPV6_IFS | sed 's/[ |,]/\n/g' | while read IPV6_IF; do
if [ -n "$(ifconfig | grep $IPV6_IF)" ]; then
if [ $USE_DNSMASQ == "on" ]; then
IPV6_RDNSS=$(ifconfig $IPV6_IF | grep Scope:Link | awk '{ print $3 }' | awk -F '/' '{ print $1 '})
fi
cat >> /tmp/radvd.conf << EOF
interface $IPV6_IF {
IgnoreIfMissing on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU $IPV6_MTU;
AdvSendAdvert on;
AdvDefaultLifetime $RADVD_RA_EXPIRE;
AdvOtherConfigFlag $USE_DNSMASQ;
AdvManagedFlag $USE_DNSMASQ;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous $RADVD_SLAAC;
AdvValidLifetime $RADVD_RA_EXPIRE;
AdvPreferredLifetime $RADVD_RA_EXPIRE;
};
RDNSS $IPV6_RDNSS {
AdvRDNSSLifetime $RADVD_DNS_EXPIRE;
};
};
EOF
loop=$((loop + 1))
if [ $max_prefixes -eq $loop ]; then
exit
fi
fi
done
killall radvd
radvd -C /tmp/radvd.conf
}
ddns () {
if [ $USE_DNSMASQ == "on" -a $USE_DDNS == "on" ]; then
if [ -z "$DDNS_CACHE_PATH" ]; then
DDNS_CACHE_PATH=/tmp/ddns/ipv6
fi
if [ ! -d $DDNS_CACHE_PATH ]; then
mkdir -p $DDNS_CACHE_PATH
fi
if [ ! -f "/tmp/cron.d/ipv6-ddnscheck" ]; then
echo "0 * * * * root $0 DDNS" > /tmp/cron.d/ipv6-ddnscheck
fi
br0_prefix=$(makeprefix $(echo $(expandip $(ifconfig br0 | grep Global | awk '{ print $3 }' | awk -F '/' '{ print $1 }')) | sed 's/://g') 64)
grep '\[.*\]' $DNSMASQ_HOSTS | grep -i set: | while read line; do
host_ip=$(echo $line | sed 's/^.*\[\(.*\)\].*/\1/')
echo $line | sed 's/,/\n/g' | while read param; do
if [ -n "$(echo $param | awk -F 'set:' '{ print $2 }')" ]; then
proto=$(echo $param | awk -F 'set:' '{ print $2 }' | awk -F '-' '{ print $1 }')
host_name=$(echo $param | awk -F 'set:' '{ print $2 }' | awk -F '-' '{ print $2 }')
host_pass=$(echo $param | awk -F 'set:' '{ print $2 }' | awk -F '-' '{ print $3 }')
if [ $proto == "ddns" ]; then
host_ip_full=$(expandip ${br0_prefix}${host_ip})
if [ ! -f "${DDNS_CACHE_PATH}/${host_name}.cache" ]; then
ddns_update=true
ddns_log="Send Request: No Cache File"
elif [ $(cat "${DDNS_CACHE_PATH}/${host_name}.cache") != ${host_ip_full} ]; then
ddns_update=true
ddns_log="Send Request: New IP Detected"
elif [ $(($(cat ${DDNS_CACHE_PATH}/${host_name}.date) + (86400 * ${DDNS_UPDATE_DAYS}))) -lt $(date +%s) ]; then
ddns_update=true
ddns_log="Send Request: Forced Update"
else
ddns_update=false
fi
if [ $ddns_update = true ]; then
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): $ddns_log >> ${DDNS_CACHE_PATH}/${host_name}.log
DDNS_REQUEST=$(echo "$DDNS_REQUEST" | sed "s/{DDNS_HOST}/${host_name}$(if [ -n "$host_name" -a -n "$DDNS_DOMAIN" ]; then echo ".";fi)${DDNS_DOMAIN}/g" | sed "s/{DDNS_USERNAME}/${DDNS_USERNAME}/g")
DDNS_REQUEST=$(echo "$DDNS_REQUEST" | sed "s/{DDNS_PASSWORD}/$(if [ -n "$host_pass" ]; then echo ${host_pass}; else echo ${DDNS_PASSWORD};fi)/g" | sed "s/{DDNS_IPV6}/${host_ip_full}/g")
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): curl -s -o ${DDNS_CACHE_PATH}/${host_name}.last $(if [ -n "$DDNS_AGENT " ]; then echo -A "$DDNS_AGENT ";fi)"${DDNS_REQUEST}" >> ${DDNS_CACHE_PATH}/${host_name}.log
curl -s -o ${DDNS_CACHE_PATH}/${host_name}.last $(if [ -n "$DDNS_AGENT " ]; then echo -A "$DDNS_AGENT ";fi)"${DDNS_REQUEST}"
if [ -f ${DDNS_CACHE_PATH}/${host_name}.last ]; then
if grep -E -q '^(nohost|badauth|badagent|abuse|911|notfqdn|numhost|dnserr|!donator)' ${DDNS_CACHE_PATH}/${host_name}.last; then
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): Failed: $(cat ${DDNS_CACHE_PATH}/${host_name}.last | sed -e 's/<[^>]*>/ /g' | tr -s ' ') >> ${DDNS_CACHE_PATH}/${host_name}.log
else
echo -n $host_ip_full > ${DDNS_CACHE_PATH}/${host_name}.cache
echo -n $(date +%s) > ${DDNS_CACHE_PATH}/${host_name}.date
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): Success: $(cat ${DDNS_CACHE_PATH}/${host_name}.last | sed -e 's/<[^>]*>/ /g' | tr -s ' ') >> ${DDNS_CACHE_PATH}/${host_name}.log
fi
rm ${DDNS_CACHE_PATH}/${host_name}.last
else
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): Failed: No Response >> ${DDNS_CACHE_PATH}/${host_name}.log
fi
elif [ -n "$IPV6_TYPE" ]; then
echo $(TZ=$(cat /tmp/TZ) date "$DATEFMT"): No Update Required >> ${DDNS_CACHE_PATH}/${host_name}.log
fi
if [ $(wc -l ${DDNS_CACHE_PATH}/${host_name}.log | awk '{ print $1 }') -gt 50 ]; then
sed -e :a -e '$q;N;51,$D;ba' ${DDNS_CACHE_PATH}/${host_name}.log > ${DDNS_CACHE_PATH}/${host_name}.log.tmp
mv ${DDNS_CACHE_PATH}/${host_name}.log.tmp ${DDNS_CACHE_PATH}/${host_name}.log
fi
fi
fi
done
done
fi
}
startdnsmasq () {
# Remove DNSMASQ listen address & interface from base config
sed -i '/listen-address/d' /tmp/dnsmasq.conf
sed -i '/interface/d' /tmp/dnsmasq.conf
if [ ! -f /tmp/dnsmasq.conf.tmp ]; then
cp /tmp/dnsmasq.conf /tmp/dnsmasq.conf.tmp
elif grep -q enable-ra /tmp/dnsmasq.conf; then
cp /tmp/dnsmasq.conf.tmp /tmp/dnsmasq.conf
else
cp /tmp/dnsmasq.conf /tmp/dnsmasq.conf.tmp
fi
echo >> /tmp/dnsmasq.conf
# DNSMASQ listen all interfaces except WAN
if [ $(nvram get wan_proto) == "pppoe" ]; then
echo "except-interface=$(nvram get pppoe_ifname)" >> /tmp/dnsmasq.conf
else
echo "except-interface=$(nvram get wan_ifname)" >> /tmp/dnsmasq.conf
fi
loop=0
echo $IPV6_IFS | sed 's/[ |,]/\n/g' | while read IPV6_IF; do
if [ -n "$(ifconfig | grep $IPV6_IF)" ]; then
echo dhcp-range=::${DNSMASQ_START}$(if [ -n "$DNSMASQ_END" ];then echo ",::$DNSMASQ_END";fi),constructor:${IPV6_IF}$(if [ -n "$DNSMASQ_RA_OPTIONS" ];then echo ",$DNSMASQ_RA_OPTIONS";fi),$DNSMASQ_DNS_EXPIRE >> /tmp/dnsmasq.conf
loop=$((loop + 1))
if [ $max_prefixes -eq $loop ]; then
exit
fi
fi
done
if [ $USE_RADVD != "on" ]; then
echo ra-param=*,$DNSMASQ_RA_BCAST,$DNSMASQ_RA_EXPIRE >> /tmp/dnsmasq.conf
echo enable-ra >> /tmp/dnsmasq.conf
echo quiet-ra >> /tmp/dnsmasq.conf
fi
echo quiet-dhcp >> /tmp/dnsmasq.conf
echo quiet-dhcp6 >> /tmp/dnsmasq.conf
CALLDNSMASQ=$(ps -w | grep [d]nsmasq | awk '{$1=$2=$3=$4=""; print $0}' | sed 's/^[ \t]*//')
killall dnsmasq
$CALLDNSMASQ
}
USE_RADVD=$(echo $USE_RADVD | tr '[A-Z]' '[a-z]')
USE_DNSMASQ=$(echo $USE_DNSMASQ | tr '[A-Z]' '[a-z]')
USE_DDNS=$(echo $USE_DDNS | tr '[A-Z]' '[a-z]')
RADVD_SLAAC=$(echo $RADVD_SLAAC | tr '[A-Z]' '[a-z]')
if [ $USE_DNSMASQ != "on" ]; then
USE_DNSMASQ=off
fi
if [ $RADVD_SLAAC != "off" ]; then
RADVD_SLAAC=on
fi
if [ -z "$DNSMASQ_HOSTS" ]; then
DNSMASQ_HOSTS=/tmp/dnsmasq.conf
fi
if [ -n "$1" ]; then
if [ $(echo $1 | tr '[a-z]' '[A-Z]') == "DDNS" ]; then
IPV6_TYPE=
ddns
fi
fi
case $(echo $IPV6_TYPE | tr '[a-z]' '[A-Z]') in
DHCP)
if [ -z "$interface" -o -z "$1" ]; then
/sbin/udhcpc -fq -i $(nvram get wan_ifname) -s $0 -O ip6rd
fi
;;
MANUAL)
ip6rd="$IP6RD_MASK_LENGTH $IP6RD_PREFEIX_SIZE $(expandip $IP6RD_PREFIX) $IP6RD_REMOTE"
;;
6IN4)
IPV6_TYPE=6IN4
ip6rd="0 $IP6IN4_PREFIX_SIZE $(expandip $IP6IN4_PREFIX) $IP6IN4_REMOTE"
;;
6TO4)
IPV6_TYPE=6TO4
ip6rd="0 16 $(expandip 2002::) any"
;;
esac
if [ -n "$ip6rd" ]; then
# sleep 5
if [ -z "$IPV6_IFS" ]; then
IPV6_IFS=$(ifconfig | grep -E 'br[0-9] |wl|vlan([2-9]|1[0-5])' | awk '{ print $1 }')
fi
if [ -z "$IPV6_MTU" ]; then
IPV6_MTU=$(($(nvram get wan_mtu) - 20))
fi
ipv4masklen=$(echo $ip6rd | awk '{print $1}')
ipv6prefixlen=$(echo $ip6rd | awk '{print $2}')
ipv6prefix=$(echo $ip6rd | awk '{print $3}')
ipv4remote=$(echo $ip6rd | awk '{print $4}')
if [ $IPV6_TYPE = "6IN4" ]; then
client_prefix_length=$ipv6prefixlen
else
client_prefix_length=$((ipv6prefixlen + 32 - ipv4masklen))
fi
if [ $client_prefix_length -gt 64 ]; then
exit
fi
max_prefixes=$((2 ** (64 - client_prefix_length)))
bin_ipv6prefix=$(echo $(hex2bin $ipv6prefix) | cut -c 1-$((ipv6prefixlen)))
hex_wanip=$(printf '%02x%02x%02x%02x' $(echo $(nvram get wan_ipaddr) | tr . ' '))
bin_wanip=$(echo $(hex2bin $hex_wanip) | cut -c $((ipv4masklen +1))-)
bin_tunnel_prefix=$(echo $bin_ipv6prefix$bin_wanip | sed -e :a -e 's/^[0-1]\{1,127\}$/&0/g;ta')
tunnel_prefix=$(makeprefix $(bin2hex $bin_tunnel_prefix) $client_prefix_length)
maketunnel
assignprefixes
if [ $USE_RADVD == "on" ]; then
startradvd
else
stopservice radvd
fi
if [ $USE_DNSMASQ == "on" ]; then
startdnsmasq
fi
ipv6firewall
ddns
echo -n $(nvram get wan_ipaddr) > /tmp/ipv6-tunnel.local
if [ ! -f "/tmp/ipv6-check.sh" ]; then
echo '#!/bin/sh' > /tmp/ipv6-check.sh
echo 'if ! ifconfig br0 | grep -q Global; then' >> /tmp/ipv6-check.sh
echo " $0" >> /tmp/ipv6-check.sh
if [ $(nvram get wan_proto) == "pppoe" ]; then
echo 'elif ! ifconfig $(nvram get pppoe_ifname) | grep -q addr:$(cat /tmp/ipv6-tunnel.local); then' >> /tmp/ipv6-check.sh
else
echo 'elif ! ifconfig $(nvram get wan_ifname) | grep -q addr:$(cat /tmp/ipv6-tunnel.local); then' >> /tmp/ipv6-check.sh
fi
echo " $0" >> /tmp/ipv6-check.sh
echo 'elif ! ip6tables -vnL FORWARD | grep -q icmpv6-filter; then' >> /tmp/ipv6-check.sh
echo " $0" >> /tmp/ipv6-check.sh
if [ $USE_DNSMASQ == "on" ]; then
echo 'elif ! cat /tmp/dnsmasq.conf | grep -q quiet-dhcp6; then' >> /tmp/ipv6-check.sh
echo " $0" >> /tmp/ipv6-check.sh
fi
echo 'fi' >> /tmp/ipv6-check.sh
fi
echo "* * * * * root sh /tmp/ipv6-check.sh" > /tmp/cron.d/ipv6-check
fi
|
|
|