IPv6: How to block incoming traffic to specific device?

[darwusch]

How to block incoming traffic to a specific device with IPv6?
I just enabled IPv6 on my Asus AC86U with merlin 386.3_2
Some devices on my network are now visible through on the internet with its IPv6 address, which I only want for my server PC, but not other devices.
For instance, I want my audio receiver to be able to connect to the internet for updating its firmware, but I don't want others to be able to connect to its interface through the internet.

With IPv4 this was easy, because no ports were forwarded to my audio device.
How can I do this now it has an IPv6 address?

 

[ColinTaylor]

I thought the default behaviour of the IPv6 firewall was to block unsolicited incoming connections. At least that's what the GUI page says.

Firewall > General > IPv6 Firewall > Enable IPv6 Firewall = Yes

 

[darwusch]

No, the firewall mentions: "All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic."
And all devices with a management interface are visible and accessible this way, with IPv6.
So for instance every webcam, etc.
That is the default behaviour of the IPv6 firewall when enabled.
I find it really strange that it is so unclear how to block it, while with IPv4 it is so easy to do.

 

[ColinTaylor]

No, the firewall mentions: "All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic."

That was my point. "related inbound traffic" (i.e. replies to previous outbound traffic) not unsolicited inbound traffic. However, from what you said this is obviously not working.

What do you get from this command?

ip6tables-save

 

[darwusch]

This is the output of that command.

/tmp/home/root$ ip6tables-save


# Generated by ip6tables-save v1.4.15 on Fri Dec 10 16:00:52 2021
*mangle
:PREROUTING ACCEPT [94029:23460173]
:INPUT ACCEPT [37758:4672279]
:FORWARD ACCEPT [28470:10212481]
:OUTPUT ACCEPT [40037:4937080]
:POSTROUTING ACCEPT [70038:15367409]
COMMIT
# Completed on Fri Dec 10 16:00:52 2021
# Generated by ip6tables-save v1.4.15 on Fri Dec 10 16:00:52 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [40037:4937080]
:ICMP_V6 - [0:0]
:ICMP_V6_LOCAL - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 547 --dport 546 -j logaccept
-A INPUT -p ipv6-icmp -j ICMP_V6_LOCAL
-A INPUT -p ipv6-icmp -j ICMP_V6
-A INPUT -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD -i br0 -o vlan2 -j logaccept
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -j ICMP_V6
-A FORWARD -j logdrop
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1/sec -j logaccept
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j logaccept
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j logaccept
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j logaccept
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j logaccept
-A ICMP_V6 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j logaccept
-A ICMP_V6 -j logdrop
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j logaccept
-A ICMP_V6_LOCAL -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j logaccept
-A ICMP_V6_LOCAL -j RETURN
-A NSFW -i br0 -o vlan2 -j RETURN
-A PControls -j logdrop
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Fri Dec 10 16:00:52 2021

 

[darwusch]

(i.e. replies to previous outbound traffic) not unsolicited inbound traffic.

Thanks, now at least I know what that means.
It looks like the GUI is very limited in options for the firewall.
Is scripts the only way?

 

[ColinTaylor]

Well it looks like the firewall rules are correct. Incoming traffic for LAN devices will be hitting the FORWARD chain and we can see that the default rule there is to drop any unrelated (i.e. unsolicited) traffic. So I'm at a loss as to why this isn't working.

You could add your own rules via scripts but I can't think what rule you'd add that isn't already covered by the existing rules.

 

[darwusch]

Thanks for your help. I'm ashamed to admit the device on which i was testing access, was still connected to my network through wifi.
So it was a local connection.
From an external connection there was no access, like you said how it was supposed to work.
Thanks for helping this noob.

 

[ColinTaylor]

No problem. Glad to hear it's working.