Joined: 30 Nov 2020 Posts: 47 Location: Northern Illinois, US
Posted: Tue Sep 23, 2025 1:26 Post subject: Default "SECURITY" chain in ip6tables has no rules
I have IPv6 enabled and I noticed a default chain in ip6tables, copied below, which has no rules. By default I mean that it's created by DD-WRT through some behind-the-scenes magic.
Chain SECURITY (2 references)
pkts bytes target prot opt in out source destination
See the capture below where a complete ip6tables listing from r62170 std (09/20/25) is given.
This default chain is not present in r60098 std (3/25/2025), and is present in r61745 std (06/12/25) and r62170 std (09/20/25). I've only checked these three builds.
A default ip6tables chain with no rules? It appears packets are being passed into this SECURITY chain (see the capture below). Since there are no rules there, packets just “fall through” and continue. Is this the objective? Is this good practice?
I'm no expert on iptables/ip6tables, so I find this curious.
For the record, I have Wireguard sessions on each of the three routers I checked above (r60098, r61745 and r62170).
(sorry, this looks jumbled in this font, Courier would be nice)
Below, per my configuration the WAN connection is configured on ETH2 (WiFi) and a Wireguard session is listening on port 40011.
root@EA6500v2_3:# ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all oet1 any anywhere anywhere state NEW
5052 1031K ACCEPT udp eth2 any anywhere anywhere udp dpt:40011
507 84770 SECURITY all any any anywhere anywhere
0 0 DROP all any any anywhere anywhere rt type:0
275 50970 ACCEPT all any any anywhere anywhere ctstate RELATED,ESTABLISHED
36 11808 DROP all any any anywhere anywhere ctstate INVALID
117 15632 ACCEPT all lo any anywhere anywhere
0 0 tarpit all !lo any ::1 anywhere
0 0 tarpit all eth2 any fc00::/7 anywhere
0 0 ACCEPT udp any any anywhere anywhere udp spt:dhcpv6-server dpt:dhcpv6-client ctstate NEW
0 0 ACCEPT all br0 any anywhere anywhere
79 6360 ACCEPT all any any fe80::/10 anywhere
0 0 ACCEPT all any any anywhere ff00::/8
0 0 ACCEPT all oet1 any anywhere anywhere
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp destination-unreachable
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp packet-too-big
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp time-exceeded
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp parameter-problem
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-reply
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 130
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 131
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 132
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 143
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT ipv6-icmp any any fe80::/10 anywhere ipv6-icmptype 153 HL match HL == 1
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 144
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 145
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 146
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 147
Chain FORWARD (policy DROP 34 packets, 6664 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all oet1 any anywhere anywhere state NEW
36 7056 SECURITY all any any anywhere anywhere
0 0 DROP all any any anywhere anywhere rt type:0
0 0 tarpit all any any ::1 anywhere
0 0 tarpit all eth2 any fc00::/7 anywhere
0 0 ACCEPT all any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all br0 any anywhere anywhere ctstate NEW
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp destination-unreachable
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp packet-too-big
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp time-exceeded
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp parameter-problem
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-reply
Chain OUTPUT (policy ACCEPT 6037 packets, 3035K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere anywhere rt type:0
Chain SECURITY (2 references)
pkts bytes target prot opt in out source destination
Chain portscan (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all any any anywhere anywhere LOG level warning prefix "portscan:"
0 0 DROP all any any anywhere anywhere
Chain tarpit (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all any any anywhere anywhere
root@EA6500v2_3:#
Joined: 18 Mar 2014 Posts: 13877 Location: Netherlands
Posted: Tue Sep 23, 2025 7:43 Post subject:
That chain has a relation with the new security options in the firewall and in the GUI login
If you do not have any of the options enabled the SECURITY chain is empty.
What problem do you have other then that there is an empty chain?
I personally do not like empty chains although it does not matter at all and I removed it in my builds.
I attached the patch which is necessary to remove the chain when it is empty, as you can see it needs a lot of tweaking so not worth to add it only because it looks better
Joined: 30 Nov 2020 Posts: 47 Location: Northern Illinois, US
Posted: Tue Sep 23, 2025 21:16 Post subject:
egc wrote:
That chain has a relation with the new security options in the firewall and in the GUI login
If you do not have any of the options enabled the SECURITY chain is empty.
What problem do you have other then that there is an empty chain?
I personally do not like empty chains although it does not matter at all and I removed it in my builds.
I attached the patch which is necessary to remove the chain when it is empty, as you can see it needs a lot of tweaking so not worth to add it only because it looks better
Thanks for the response.
My "problem" is that I'm naive and anxious about IPv6, as I'm just now starting to roll it out across my routers... and those routers run various DD-WRT releases at the present time, e.g., r52148, r60098, r61745 and r62170.
I just yesterday happened to notice the "SECURITY" chain present in the later builds, and I also noticed the packet counters indicating some activity taking place to that chain... but the fact the "SECURITY" chain was empty made me wonder if there wasn't a misconfiguration evident, resulting in a "hole" in the packet filtering.
As always, thanks for taking the time to respond...
