I have setup a simple isolated network consist of following Linux based machines:
Node1<—->Router<—->Node2
Router's eth0 is connected with Node1's eth0.
Router's eth1 is connected with Node2's eth0.
All the three systems are configured with IPv6 address and I can ping each other successfully. I am running iptables/ip6tables on Router and I want to block all the IPv6 traffic coming from Node2 going towards Node1 (via Router)
As we know all the IPv6 traffic has the Ethernet Packet Type signature 0x86dd and I want to block the traffic using ip6tables using this specific signature only. After reading man page of ip6tables and searching on the internet I could not find a suitable option (like ether-type) to block the traffic.
Can I do this via ip6tables at all?
EDIT: I am specifically looking for a way to use data from Layer 2 (0x86dd) to block the traffic. Basically, the question boils down to whether iptables/ip6tables works on Layer 2 or not?
Best Answer
This will reject all IPv6 traffic not originating on Router and going out of eth0. You might want to throw in an
-i eth1to specify the input interface, too. Additionally, you might also likewhich will block all traffic send to the IP address of Node1 not originating on Router or maybe
which will block all traffic from Node2 towards Node1, based on their respective IP addresses.
Note that the last two only work if Node1 and/or Node2 have fixed IP addresses. Feel free to replace
REJECTbyDROP, butREJECTis usually the nicer way of doing things (especially in a ‘friendly’ environment).