What's new

Block all IPv6 traffic from specific device: use iptables?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stoli412

Occasional Visitor
Hi all, I'm hoping you can help with this. I have a Hurricane Electric IPv6 tunnel set up on my router. Unfortunately Netflix sees this as an attempt to circumvent its geoblocking. The simple solution would be to disable IPv6 on my streaming devices, but you can't do this on an Apple TV. So, I would like to block ALL IPv6 traffic from the Apple TV. Can I accomplish this with an ip6tables rule on the router? Something like:

Code:
ip6tables -A FORWARD -i br0 -m mac --mac-source [mac address] -j DROP

Would this work? Is FORWARD the right chain, or maybe PREROUTING? Is br0 the right interface? Which script would I use to make it persistent?


EDIT: I think I've got it:

Code:
ip6tables -t mangle -A PREROUTING -m mac --mac-source [mac address] -j DROP

Could anyone tell me which script to put this in to make it persistent? And/or, if you know of a better way of doing this, I'd love to hear it!
 
Last edited:
I don't use ipv6, and therefore I don't use ip6tables, but given what I know about iptables (ipv4), the mangle table is typically NOT the correct place to drop packets. It won't necessarily produce an error preventing the addition of the rule, but if this was the nat table instead (which ppl commonly used to use for DROPs w/ iptables), the more recent versions of iptables will generate an error. Also, iirc, using iptables, the mangle table would accept the use of the mac module, but it wouldn't work. It was just ignored. It would only work in the filter table.

So if iptables (ipv4) is any example, I'd say you're more likely to have success using the filter table (the default if no table is specified) rather than the mangle (or nat) table.

Code:
ip6tables -I FORWARD -i br0 -m mac --mac-source 01:02:03:04:05:06 -j DROP

Using ssh, copy/paste it into the window and verify it got added w/ the following command.

Code:
ip6tables -vnL FORWARD

Then verify it's working before committing it to the firewall-start script, thus making it persistent.
 
Last edited:
Putting the rule in the forward chain of the filter table had no effect, and I think it's because the mac address has already been changed by the time it gets there? I think it needs to go into the prerouting chain, but there is no prerouting chain in the filter table

I agree that the nat table would make more sense than mangle, but there is no nat table in ipv6. So I stuck it in the prerouting chain of the mangle table and it's working just fine.

I really don't understand all the ins and outs of iptables, so I appreciate any help and expertise offered. :)
 
Last edited:
I'm doing something similar, blocking ipv6 on chromecasts and a Samsung TV, I'm using the firewall rule

Code:
ip6tables -A INPUT -m mac --mac-source <mac address> -j DROP

I'm wondering if the rule proposed by @stoli412 is an improvement?
 
@PeterR does putting the rule in the INPUT chain work for you? I could have sworn I tried that and it didn't work for me. I'll need to try again and see what happens.

If it works there, it makes more sense to go in the default filter table than the mangle table like I'm doing.
 
Working here, I'm using a smart DNS proxy with DNS filtering for the devices. Before applying the firewall rule the devices were circumventing the filtering using ipv6.
 
Just an FYI, when you use the block internet setting in the web GUI, the entry is put in the FORWARD chain of iptables and ip6tables. So, I would think ip6tables is the place to do this.
 
The INPUT chain is for packets directed at the router itself. The FORWARD chain is for packets directed elsewhere, where the router is just passing them through from one network interface to another (typically LAN (br0) to WAN (vlan2)). So whichever of those chains is appropriate just depends on what you're targeting; the router vs. some other network, like the internet. In the case of the OP, by using the PREROUTING chain, which is hit *first*, regardless whether the packets eventually hit the INPUT or FORWARD chain, he covers both possibilities.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top