Deny ping response in ipv6

6

2

I would like to know how to deny ping replies on my ipv6 address. We have been messing around with ping flooding on ipv6 at work, and the usual way to block icmp requests does not work.

I have tried with the preinstalled scripts in the imcp folder (in linux) but theipv6 one does not have the respective script.

I have also tried as follow through iptables with no luck:

/sbin/iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i eth0 -j DROP

It would be good to know if it is possible and how also for win and mac OSX machines.

Bruno9779

Posted 2012-07-27T22:20:48.060

Reputation: 1 225

Answers

8

First, a word of warning. Dropping certain kinds of ICMPv6 traffic can completely break your network. So be very careful what you do and do not drop. RFC 4890 is a great place to start with learning what to and not to do.

With that out of the way...

Your example that you gave uses iptables which manages only IPv4 traffic. The IPv6 firewall is separate and is managed via ip6tables.

If you really wanted to drop incoming pings, for instance, you could do something like this (not recommended; see the RFC):

ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

See the ip6tables man page. The RFC above also includes some ip6tables sample configurations.

Michael Hampton

Posted 2012-07-27T22:20:48.060

Reputation: 11 744

Asked: 2012-07-27T22:20:48.060

Viewed: 4 873 times

Active: 2012-07-27T22:39:22.117