Basic IPv6 firewall rule for RouterOS

Vote 0 Votes

因為 IPv6 沒有 NAT, 在 RouterBoard 設置 IPv6 基本防火牆條例是必要的, 否則外部可以使用 IPv6 直連內部的電腦
以下是 PPPoE 環境的 IPv6 基本條例

/ipv6 firewall filter
add action=accept chain=forward connection-state=established in-interface=pppoe-out1 # 容許已建立的連線
add action=accept chain=forward connection-state=related in-interface=pppoe-out1 # 容許關聯連線
add action=accept chain=forward in-interface=pppoe-out1 protocol=icmpv6 # 容許外面 ping 內部電腦
add action=accept chain=forward dst-port=22 in-interface=pppoe-out1 protocol=tcp # 容許外面連內部的 Port 22, 不需要可以移除
add action=accept chain=input in-interface=pppoe-out1 protocol=icmpv6 # 容許外面 ping RouterBoard 本身
add action=accept chain=input comment="DHCPv6 client" dst-port=546 protocol=udp # 容許 DHCPv6 client, 一定要加, 不然會拿不到 IP
add action=drop chain=forward in-interface=pppoe-out1 # DROP 其餘轉發封包
add action=drop chain=input in-interface=pppoe-out1 # DROP 其餘對 RouterBoard 本身的封包, 經由 pppoe-out1 進來
add action=drop chain=input in-interface=ether1 # DROP 其餘對 RouterBoard 本身的封包, 經由 ether1 進來
# 因為 pppoe-out1 是經由 ether1 撥的, 也加上去

這邊的 chain=forward 是指轉發封包, 經過 RouterBoard
chain=input 是指對 RouterBoard 本身
上面的範例 IPv6 外對內就只有 ping 及 Port 22 有通, 內對外不受限制

About this Entry

This page contains a single entry by Pank published on June 21, 2019 9:46 AM.

Run /etc/rc.local in Windows subsystem for Linux was the previous entry in this blog.

Get RouterOS latest version is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives