Block all IPv6 traffic from specific device: use iptables?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

stoli412

Occasional Visitor
Hi all, I'm hoping you can help with this. I have a Hurricane Electric IPv6 tunnel set up on my router. Unfortunately Netflix sees this as an attempt to circumvent its geoblocking. The simple solution would be to disable IPv6 on my streaming devices, but you can't do this on an Apple TV. So, I would like to block ALL IPv6 traffic from the Apple TV. Can I accomplish this with an ip6tables rule on the router? Something like:

Code:
ip6tables -A FORWARD -i br0 -m mac --mac-source [mac address] -j DROP

Would this work? Is FORWARD the right chain, or maybe PREROUTING? Is br0 the right interface? Which script would I use to make it persistent?


EDIT: I think I've got it:

Code:
ip6tables -t mangle -A PREROUTING -m mac --mac-source [mac address] -j DROP

Could anyone tell me which script to put this in to make it persistent? And/or, if you know of a better way of doing this, I'd love to hear it!
 
Last edited:

eibgrad

Very Senior Member
I don't use ipv6, and therefore I don't use ip6tables, but given what I know about iptables (ipv4), the mangle table is typically NOT the correct place to drop packets. It won't necessarily produce an error preventing the addition of the rule, but if this was the nat table instead (which ppl commonly used to use for DROPs w/ iptables), the more recent versions of iptables will generate an error. Also, iirc, using iptables, the mangle table would accept the use of the mac module, but it wouldn't work. It was just ignored. It would only work in the filter table.

So if iptables (ipv4) is any example, I'd say you're more likely to have success using the filter table (the default if no table is specified) rather than the mangle (or nat) table.

Code:
ip6tables -I FORWARD -i br0 -m mac --mac-source 01:02:03:04:05:06 -j DROP

Using ssh, copy/paste it into the window and verify it got added w/ the following command.

Code:
ip6tables -vnL FORWARD

Then verify it's working before committing it to the firewall-start script, thus making it persistent.
 
Last edited:

stoli412

Occasional Visitor
Putting the rule in the forward chain of the filter table had no effect, and I think it's because the mac address has already been changed by the time it gets there? I think it needs to go into the prerouting chain, but there is no prerouting chain in the filter table

I agree that the nat table would make more sense than mangle, but there is no nat table in ipv6. So I stuck it in the prerouting chain of the mangle table and it's working just fine.

I really don't understand all the ins and outs of iptables, so I appreciate any help and expertise offered. :)
 
Last edited:

PeterR

Regular Contributor
I'm doing something similar, blocking ipv6 on chromecasts and a Samsung TV, I'm using the firewall rule

Code:
ip6tables -A INPUT -m mac --mac-source <mac address> -j DROP

I'm wondering if the rule proposed by @stoli412 is an improvement?
 

stoli412

Occasional Visitor
@PeterR does putting the rule in the INPUT chain work for you? I could have sworn I tried that and it didn't work for me. I'll need to try again and see what happens.

If it works there, it makes more sense to go in the default filter table than the mangle table like I'm doing.
 

PeterR

Regular Contributor
Working here, I'm using a smart DNS proxy with DNS filtering for the devices. Before applying the firewall rule the devices were circumventing the filtering using ipv6.
 

Frank Monroe

Occasional Visitor
Just an FYI, when you use the block internet setting in the web GUI, the entry is put in the FORWARD chain of iptables and ip6tables. So, I would think ip6tables is the place to do this.
 

eibgrad

Very Senior Member
The INPUT chain is for packets directed at the router itself. The FORWARD chain is for packets directed elsewhere, where the router is just passing them through from one network interface to another (typically LAN (br0) to WAN (vlan2)). So whichever of those chains is appropriate just depends on what you're targeting; the router vs. some other network, like the internet. In the case of the OP, by using the PREROUTING chain, which is hit *first*, regardless whether the packets eventually hit the INPUT or FORWARD chain, he covers both possibilities.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top