I just set up a 6in4 he.net tunnel on my OpenWRT. Generally I would like to disable IPv6 routing to prevent "IPv6 leaks". But I have 1-2 machines which I'd like to allow explicitely. I realize that as soon as the tunnel device went up, my entire LAN had IPv6 access. Not great, but OK.
Then I went into Network -> Firewall -> Traffic Rules and created a rule:
Forwarded IPv6 From wan to lan: Reject forward Forwarded IPv6 From lan to wan: Reject forward
To my surprise, whatever I did, my clients kept reaching IPv6 networks.
I debugged and found this:
root@MapleGate:~# ip6tables -L FORWARD -n -v Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 271 21680 forwarding_rule all * * ::/0 ::/0 /* !fw3: Custom forwarding rule chain */ 271 21680 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED /* !fw3 */ 0 0 zone_lan_forward all br-lan * ::/0 ::/0 /* !fw3 */ 0 0 zone_wan_forward all 6in4-henet * ::/0 ::/0 /* !fw3 */ 0 0 zone_wan_forward all eth1.2 * ::/0 ::/0 /* !fw3 */ 0 0 zone_wan_forward all tun0 * ::/0 ::/0 /* !fw3 */ 0 0 zone_PRIVAnet_forward all tap0 * ::/0 ::/0 /* !fw3 */ 0 0 reject all * * ::/0 ::/0 /* !fw3 */ root@MapleGate:~# ip6tables -L forwarding_rule -n -v Chain forwarding_rule (1 references) pkts bytes target prot opt in out source destination root@MapleGate:~#
This means that all IPv6 packets are automatically accepted (if they are RELATED or ESTABLISHED). My rules never have effect.
Why do my ICMP packets fall into RELATED & ESTABLISHED ?
How do I properly disable IPv6 forwarding while keeping exceptions for a station based on MAC address?