Author
Message
redson DD-WRT Novice Joined: 14 May 2018 Posts: 10
Posted: Thu Jul 26, 2018 17:37 Post subject: ip6tables in KONG 36070M doesn't support REJECT?
I'm using Yamaraj's adbhostgen and am running into an issue where DNS requests over https are causing websites to hang.
I'm able to use iptables to REJECT the https DNS requests on IPv4, but when I try to do the same for IPv6 it looks like dd-wrt doesn't support reject
Code: root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'
Try `ip6tables -h' or 'ip6tables --help' for more information.
Is this intentional? Is there a workaround?
Back to top
Sponsor
redson DD-WRT Novice Joined: 14 May 2018 Posts: 10
Posted: Thu Jul 26, 2018 21:40 Post subject:
found out ip6t_REJECT & nf_reject_ipv6 needed to be loaded, but still no glory
Code: root@router:~# lsmod | grep ipv6
nf_reject_ipv6 2224 1 ip6t_REJECT
nf_conntrack_ipv6 5419 2
nf_log_ipv6 3660 0
nf_defrag_ipv6 13159 1 nf_conntrack_ipv6
ipv6 291117 28 nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,shortcut_fe,sit,[permanent]
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#
If anyone else has any experience getting reject working w/IPv6 I'd appreciate it!
Back to top
Acumen DD-WRT User Joined: 15 Nov 2014 Posts: 221
Posted: Sat Jul 28, 2018 12:08 Post subject:
redson wrote: found out ip6t_REJECT & nf_reject_ipv6 needed to be loaded, but still no glory
Code: root@router:~# lsmod | grep ipv6
nf_reject_ipv6 2224 1 ip6t_REJECT
nf_conntrack_ipv6 5419 2
nf_log_ipv6 3660 0
nf_defrag_ipv6 13159 1 nf_conntrack_ipv6
ipv6 291117 28 nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,shortcut_fe,sit,[permanent]
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#
If anyone else has any experience getting reject working w/IPv6 I'd appreciate it!
I used DROP instead, but that's of course not the same as REJECT. _________________ Netgear WNDR4300v1 DD-WRT v3.0 BS r29837 | Netgear R6400 DD-WRT v3.0 KB r33525M | Tickets: 5429
IPv4 & IPv6-PD | ProFTP & Samba to USB thumb | DNSMasq DHCPv6 | Pi-Hole on RasPi
Found a bug, report it so the it can be fixed: http://svn.dd-wrt.com/
Back to top
redson DD-WRT Novice Joined: 14 May 2018 Posts: 10
Posted: Sat Jul 28, 2018 16:34 Post subject:
Acumen wrote:
I used DROP instead, but that's of course not the same as REJECT.
Thanks for the suggestion! Tried setting it up, got the relevant rules in the table:
Code: root@router:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT 0 fe80::/64 anywhere
ACCEPT 0 anywhere anywhere
DROP 0 anywhere anywhere
[b]DROP tcp anywhere anywhere tcp dpt:https
DROP udp anywhere anywhere udp dpt:80
DROP udp anywhere anywhere udp dpt:443[/b]
Unfortunately the relevant connections still hang. I need to get REJECT going
Back to top
redson DD-WRT Novice Joined: 14 May 2018 Posts: 10
Posted: Tue Jul 31, 2018 16:18 Post subject:
Still no luck on this, I'm surprised nobody is using ip6tables "REJECT" target.
Out of ideas, as a shotgun effort, I loaded every modules with '6' in its name.
Code: # lsmod | grep 6
raid6_pq 86764 0
nls_cp936 120778 0
nf_nat_ipv6 3901 0
nf_dup_ipv6 996 0
l2tp_ip6 6084 0
l2tp_ip 5145 1 l2tp_ip6
l2tp_core 12544 2 l2tp_ip6,l2tp_ip
ip6table_mangle 1034 0
ip6_udp_tunnel 1399 1 l2tp_core
ebt_ip6 1674 0
ipcomp6 1629 0
xfrm6_tunnel 2223 1 ipcomp6
xfrm6_mode_tunnel 1290 0
xfrm6_mode_transport 842 0
xfrm6_mode_beet 1290 0
ip6_tunnel 14136 0
tunnel6 1691 2 xfrm6_tunnel,ip6_tunnel
mip6 4044 0
ah6 4732 0
esp6 4855 0
ip6t_frag 970 0
ip6t_ipv6header 1162 0
ip6t_rpfilter 1226 0
ip6t_rt 1610 0
ip6t_ah 906 0
ip6t_REJECT 1098 0
nf_reject_ipv6 2224 1 ip6t_REJECT
nf_conntrack_ipv6 5419 3
nf_log_ipv6 3660 0
nf_defrag_ipv6 13159 1 nf_conntrack_ipv6
ip6table_filter 714 1
xfrm_ipcomp 2917 1 ipcomp6
xfrm6_mode_ro 695 0
xfrm_algo 3645 3 ah6,esp6,xfrm_ipcomp
ip_tunnel 10496 1 sit
tunnel4 1628 1 sit
ipv6 291117 46 nf_nat_ipv6,nf_dup_ipv6,l2tp_ip6,l2tp_core,ip6table_mangle,ipcomp6,
xfrm6_tunnel,xfrm6_mode_tunnel,xfrm6_mode_beet,ip6_tunnel,mip6,ah6,esp6,ip6t_rpfilter,
nf_reject_ipv6,nf_conntrack_ipv6,nf_defrag_ipv6,sit,[permanent]
ip6_tables 9405 2 ip6table_mangle,ip6table_filter
ext4 308160 3
jbd2 47256 1 ext4
mbcache 6816 1 ext4
crc16 1060 1 ext4
usb_storage 36813 4
scsi_mod 83369 3 usb_storage,sr_mod,sd_mod
xhci_plat_hcd 2116 0
xhci_pci 2568 0
ehci_pci 2826 0
switch_core 4866 1 switch_robo
#
Still doesn't know anything about the reject target:
Code: # ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~#
Any suggestions or speculation welcome
Back to top
Steffen M. DD-WRT User Joined: 23 Jan 2008 Posts: 50 Location: Ulm, Germany
Posted: Sun Jul 05, 2020 19:55 Post subject: Re: ip6tables in KONG 36070M doesn't support REJECT?
Hi redson,
redson wrote: I'm able to use iptables to REJECT the https DNS requests on IPv4, but when I try to do the same for IPv6 it looks like dd-wrt doesn't support reject
[code]root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables v1.3.7: Unknown arg `--reject-with'
Try `ip6tables -h' or 'ip6tables --help' for more information.
root@router:~# ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT
ip6tables v1.3.7: Couldn't find target `REJECT'
This problem is still persistent in the most recent version of DD-WRT (v3.0-r43652 std (07/03/20)), at least in the branch for Broadcom devices (in my case: Netgear R7000P).
Therefore my question: Did you find any solution or any workaround if someone wants to actively reject IPv6 packets?
In my case, loading the kernel modules does not help, either. When using "strings" to search through the binary "/usr/sbin/ip6tables", I don't see any occurrences of "REJECT" there. When doing the same search in "/usr/sbin/iptables", there is a match for the "REJECT" target. So I suppose that the problem is in the binary which sets the rules.
Thank you very much in advance!
Kind regards,
Steffen
Back to top
Steffen M. DD-WRT User Joined: 23 Jan 2008 Posts: 50 Location: Ulm, Germany
Back to top
kernel-panic69 DD-WRT Guru Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Back to top
Steffen M. DD-WRT User Joined: 23 Jan 2008 Posts: 50 Location: Ulm, Germany
Posted: Wed Jul 08, 2020 21:07 Post subject:
Thanks a lot!
Kind regards,
Steffen
Back to top