From 7fba64b5f5569ef5bdc652cffa71a674ed169ba9 Mon Sep 17 00:00:00 2001
From: Matthias Blankertz <matthias@blankertz.org>
Date: Sat, 5 Apr 2014 17:02:38 +0200
Subject: [PATCH] IPv6 support

---
 linux-3.12.16.config                       | 33 +++++++-
 openvpn-test/client.conf                   |  3 +-
 overlay/etc/firewall.sh                    | 89 +++++++++++++++++++++-
 overlay/etc/openvpn/vpn.conf               |  2 +-
 overlay/home/matthias/.ssh/authorized_keys |  1 +
 5 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100644 overlay/home/matthias/.ssh/authorized_keys

diff --git a/linux-3.12.16.config b/linux-3.12.16.config
index 627f1b8..270a051 100644
--- a/linux-3.12.16.config
+++ b/linux-3.12.16.config
@@ -1,4 +1,3 @@
-# CONFIG_64BIT is not set
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_DEFAULT_HOSTNAME="panda"
 CONFIG_SYSVIPC=y
@@ -100,7 +99,37 @@ CONFIG_INET6_ESP=y
 CONFIG_NETLABEL=y
 CONFIG_NETWORK_SECMARK=y
 CONFIG_NETFILTER=y
-# CONFIG_NETFILTER_ADVANCED is not set
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
 CONFIG_NET_SCHED=y
 CONFIG_NET_EMATCH=y
 CONFIG_NET_CLS_ACT=y
diff --git a/openvpn-test/client.conf b/openvpn-test/client.conf
index 793fe7a..b177a18 100644
--- a/openvpn-test/client.conf
+++ b/openvpn-test/client.conf
@@ -33,13 +33,14 @@ dev tun
 # Are we connecting to a TCP or
 # UDP server?  Use the same setting as
 # on the server.
-proto tcp
+proto tcp-client
 ;proto udp
 
 # The hostname/IP and port of the server.
 # You can have multiple remote entries
 # to load balance between the servers.
 remote 172.20.117.221 1194
+;remote 2001:7c0:409:8001::2 1194
 ;remote my-server-2 1194
 
 # Choose a random host from the remote
diff --git a/overlay/etc/firewall.sh b/overlay/etc/firewall.sh
index 1176859..7971a5f 100755
--- a/overlay/etc/firewall.sh
+++ b/overlay/etc/firewall.sh
@@ -18,7 +18,15 @@ LOOP=127.0.0.1
 iptables -P OUTPUT DROP
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
-iptables -F
+
+cat /proc/net/ip_tables_names | while read table; do
+  iptables -t $table -L -n | while read c chain rest; do
+      if test "X$c" = "XChain" ; then
+        iptables -t $table -F $chain
+      fi
+  done
+  iptables -t $table -X
+done
 
 # Set default policies
 iptables -P OUTPUT ACCEPT
@@ -33,6 +41,7 @@ iptables -A FORWARD -i $LANIF -d $LOOP -j DROP
 
 # Anything coming from the Network should have a real Internet address,
 # or a known "Uninetz" private address (172.20.0.0/16)
+
 iptables -N Antispoof_172
 iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP
 iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
@@ -116,3 +125,81 @@ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE
 
 echo "1" > /proc/sys/net/ipv4/ip_forward
+
+
+## Setup IPv6
+
+IP6PRIVATE=2001:7c0:409:8001::/64
+IP6LANIP=2001:7c0:409:8001::2
+
+# Delete old iptables rules
+# and temporarily block all traffic.
+ip6tables -P OUTPUT  DROP
+ip6tables -P INPUT   DROP
+ip6tables -P FORWARD DROP
+
+cat /proc/net/ip6_tables_names | while read table; do
+  ip6tables -t $table -L -n | while read c chain rest; do
+      if test "X$c" = "XChain" ; then
+        ip6tables -t $table -F $chain
+      fi
+  done
+  ip6tables -t $table -X
+done
+
+# Set default policies
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+
+ip6tables -A INPUT -m rt --rt-type 0 -j DROP
+ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
+ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
+
+# Loopback
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+
+# Source spoof filtering from us
+ip6tables -N SSOutFilterLAN
+ip6tables -A OUTPUT -o $LANIF -j SSOutFilterLAN
+ip6tables -A FORWARD -o $LANIF -j SSOutFilterLAN
+ip6tables -A SSOutFilterLAN -s $IP6LANIP -j RETURN
+ip6tables -A SSOutFilterLAN -s fe80::/10 -j RETURN
+ip6tables -A SSOutFilterLAN -j LOG --log-prefix "SOURCESPOOFOUT6 "
+ip6tables -A SSOutFilterLAN -j DROP
+
+# Source spoof filtering to us
+ip6tables -N SSInFilterLAN
+ip6tables -A INPUT -i $LANIF -s $IP6LANIP -j SSInFilterLAN
+ip6tables -A SSInFilterLAN -j LOG --log-prefix "SOURCESPOOFIN6 "
+ip6tables -A SSInFilterLAN -j DROP
+
+# Route errors
+ip6tables -N REOutFilterLAN
+ip6tables -A OUTPUT -o $LANIF -d $IP6LANIP -j REOutFilterLAN
+ip6tables -A FORWARD -o $LANIF -d $IP6LANIP -j REOutFilterLAN
+ip6tables -A REOutFilterLAN -j LOG --log-prefix "ROUTEERR6 "
+ip6tables -A REOutFilterLAN -j DROP
+
+# State tracking
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allow ssh and openvpn access
+ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp -m multiport --dports ssh,1194 -m state --state NEW -j ACCEPT
+
+# Allow useful ICMPv6
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -m state --state NEW  -j ACCEPT
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 3/0   -m state --state NEW  -j ACCEPT
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 3/1   -m state --state NEW  -j ACCEPT
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 2  -m state --state NEW  -j ACCEPT
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 1  -m state --state NEW  -j ACCEPT
+ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 129/0   -m state --state NEW  -j ACCEPT
+
+# Allow ARPv6
+ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
+ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT
+
+ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 "
+ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 "
diff --git a/overlay/etc/openvpn/vpn.conf b/overlay/etc/openvpn/vpn.conf
index 876fa47..07c3eab 100644
--- a/overlay/etc/openvpn/vpn.conf
+++ b/overlay/etc/openvpn/vpn.conf
@@ -32,7 +32,7 @@
 port 1194
 
 # TCP or UDP server?
-proto tcp
+proto tcp6-server
 ;proto udp
 
 # "dev tun" will create a routed IP tunnel,
diff --git a/overlay/home/matthias/.ssh/authorized_keys b/overlay/home/matthias/.ssh/authorized_keys
new file mode 100644
index 0000000..fc77d10
--- /dev/null
+++ b/overlay/home/matthias/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgvPpPNe3SxVtXWeyWE/cB+ME+8q8goWQLDnGfjtEFdStL/2d39yyiqEvE1ystjfrdrhd6xcwYntAAiX/8LsV9kGOGx2QMxiAaKNboEJKFwPqeOQLYY69DDq3n4VQaNlMMNzsqSTDuaS/Gl4WZqvpYQ4wJaS3Ln95ec0zFLyUWyyh3uaw7iv/iJUX9NLlCTbuEtrhswnHyYK7x1g9LWBAtBER0QLAIU1CO/VCeRmfgKf0OIzdKiBw2lgVAwpme/LPh7SAQhQoRcQdkBCZH/Wl9K0Bp/it6BwSYaHVChEaN7BIOrD2kGNAfQn+KSfmCua1OP3OAQvtsZyCSeor1Y05/ matthias@pc