What is the most restrictive way to allow IPv6 ICMP requests on iptables?

This is what I have so far but it is pretty open.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

If you have time, explaining the rules would be amazing.

Go to Source
Author: sunknudsen

IPv6: delegate my RA-assigned prefix to my private network

I have a small private network behind a Linux based routing appliance (Ubuntu Server 18.04) that I’m attempting to migrate from IPv4-only to dual-stack.

My WAN interface has already been assigned an IPv6 global unicast address with a /64 prefix and subnet number zero, and I can successfully reach external IPv6 resources from the router (i.e., I can ping ipv6.google.com directly from the router).

My ISP does not appear to support prefix delegation via DHCPv6 – attempting to request a prefix using isc-dhcpd doesn’t work, but that should be okay, since I already have a prefix, right?

How do I delegate the prefix I already have to my LAN interface and configure radvd to make it available to my network? I could do this statically by hand, but this feels messy and high maintenance, since I’d need to reconfigure the network if my prefix ever changes.

Go to Source
Author: Andrew Villeneuve