On Tue, 30 Oct 2012, Gene Czarcinski wrote:
1. dhcpv6 solicit: from=fe80::client:546 to=ff02::1:2:547 2. dhcpv6 advertise: from=fe80::server:547 to=fe80::client:546 3. dhcpv6 request: from=fe80::client:546 to=ff02::1:2:547 4. dhcpv6 reply: from=fe80::server:547 to=fe80::client:546
I think the rules you want are these (we use the symbolic names for the packet sub-type as it makes things clearer) # /etc/sysconfig/ip6tables # ... -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -s $IP6SERVER -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j DROP -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited # ... I do not know that you need to filter or attempt to direct 'router-solicitation' as your comments mentioned. We have not had a 'real world' need to do so. We run a variation of these rules at pmman from: man 8 ip6tables icmp6 This extension can be used if ‘--protocol ipv6-icmp’ or ‘--protocol icmpv6’ is specified. It provides the following option: [!] --icmpv6-type type[/code]|typename This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command ip6tables -p ipv6-icmp -h -- Russ herrold