I would like to know how to deny ping replies on my ipv6 address.
We have been messing around with ping flooding on ipv6 at work, and the usual way to block icmp requests does not work.
I have tried with the preinstalled scripts in the imcp folder (in linux) but theipv6 one does not have the respective script.
I have also tried as follow through iptables with no luck:
/sbin/iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i eth0 -j DROP
It would be good to know if it is possible and how also for win and mac OSX machines.
Best Answer
First, a word of warning. Dropping certain kinds of ICMPv6 traffic can completely break your network. So be very careful what you do and do not drop. RFC 4890 is a great place to start with learning what to and not to do.
With that out of the way...
Your example that you gave uses
iptables
which manages only IPv4 traffic. The IPv6 firewall is separate and is managed viaip6tables
.If you really wanted to drop incoming pings, for instance, you could do something like this (not recommended; see the RFC):
See the
ip6tables
man page. The RFC above also includes someip6tables
sample configurations.