# First, delete all: ip6tables -F ip6tables -X # Allow anything on the local link ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Allow anything out on the internet ip6tables -A OUTPUT -o sixxs -j ACCEPT # Allow the localnet access us: ip6tables -A INPUT -i br0 -j ACCEPT ip6tables -A OUTPUT -o br0 -j ACCEPT ip6tables -A FORWARD -i br0 -j ACCEPT ip6tables -A FORWARD -o br0 -j ACCEPT # Filter all packets that have RH0 headers: ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # Allow ICMPv6 everywhere ip6tables -I INPUT -p icmpv6 -j ACCEPT ip6tables -I OUTPUT -p icmpv6 -j ACCEPT ip6tables -I FORWARD -p icmpv6 -j ACCEPT # Allow forwarding ip6tables -A FORWARD -m state --state NEW -i br0 -o sixxs -s 2001:6f8:141a::/48 -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH in ip6tables -A FORWARD -i sixxs -p tcp -d 2001:6f8:141a::/48 --dport 22 -j ACCEPT ip6tables -A INPUT -i sixxs -p tcp -d 2001:6f8:141a::/48 --dport 22 -j ACCEPT # HTTP k7vm2.meix.ddpo.be in ip6tables -A FORWARD -i sixxs -p tcp -d 2001:6f8:141a:: --dport 80 -j ACCEPT ip6tables -A INPUT -i sixxs -p tcp -d 2001:6f8:141a:: --dport 80 -j ACCEPT # Test serveur mail interne ip6tables -A FORWARD -i sixxs -p tcp -d 2001:6f8:141a:: --dport 25 -j ACCEPT ip6tables -A INPUT -i sixxs -p tcp -d 2001:6f8:141a:: --dport 25 -j ACCEPT # Bittorrent #ip6tables -A FORWARD -i sixxs -p tcp -d 2001:6f8:141a::5 --dport 33600:33604 -j ACCEPT # Set the default policy ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128