Shikhar Bhargava asked:
iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
The above command works for IPv4, what should be the command for IPv6 to drop the ICMPv6 destination-unreachable packets.
I have tried to use ip6tables with but could not get the correct option.
ip6tables -I OUTPUT -p icmpv6 <icmpv6 type> -j DROP
What should work for ?
iptables-extensions(8) man page gives the syntax:
icmp6 (IPv6-specific) This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' is specified. It provides the following option: [!] --icmpv6-type type[/code]|typename This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command ip6tables -p ipv6-icmp -h
You can list the ICMPv6 types with
ip6tables -p ipv6-icmp -h, as documented in the man page.
Valid ICMPv6 Types: destination-unreachable no-route communication-prohibited address-unreachable port-unreachable packet-too-big time-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem bad-header unknown-header-type unknown-option echo-request (ping) echo-reply (pong) router-solicitation router-advertisement neighbour-solicitation (neighbor-solicitation) neighbour-advertisement (neighbor-advertisement) redirect
Of course, you should not be attempting to block these packets. It will cause applications to misbehave.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.