Installing packages in DD-WRT is not trivial. The firmware image is read-only and the "mega" version I am using does not leave any room for a local JFFS filesystem. This is a problem because ipkg demands JFFS enabled and a /jffs filesystem with free space. So I had to
0) Format a pendrive as ext3
1) enable JFFS in web admin tool
2) enable USB storage in web admin, mounting it at /opt
3) remount the pendrive as /jffs (via telnet)
At least the most of the configuration can be done via Web.
Afterwards, I go back to web admin, disable JFFS and reconfigure the USB storage to mount at /jffs. All these movements are to satisfy ipkg. I am sure there is a way to cheat it not to demand JFFS, but I did not find how.
The ip6tables package (and the kmod-ip6tables kernel modules dependency) was another soap opera. The version that ipkg gets automatically is not of the same kernel version, and some ip6tables library is missing. Ipkg does not solve the dependencies by itself, you need to use -force-depends at some point.
In the end, what worked for me was: get the kmod-ip6tables package from OpenWrt Backfire 10.03 repository, brcm-2.4 platform (which matches the kernel, 2.4.37), and the ip6tables user-level tool from Kamikaze 7.09. Get the packages with wget, and ipkg install -force-depends on each file.
The installed packages lay at /jffs. PATH is configured for /jffs/bin etc, but insmod does not search in /jffs/lib/modules. Having the tools installed on pendrive, and making sure it mounts on boot, the following addendum to firewall script was written:
MOD=/jffs/lib/modules/2.4.37.9
for module in ip6_tables ip6table_filter ip6t_REJECT; do
insmod $MOD/$module.o
done
/jffs/usr/sbin/ip6tables -F
/jffs/usr/sbin/ip6tables -P INPUT ACCEPT
/jffs/usr/sbin/ip6tables -P OUTPUT ACCEPT
/jffs/usr/sbin/ip6tables -P FORWARD ACCEPT
LD_LIBRARY_PATH=/jffs/usr/lib/iptables /jffs/usr/sbin/ip6tables -A INPUT -i tun6to4 -j DROP
LD_LIBRARY_PATH=/jffs/usr/lib/iptables /jffs/usr/sbin/ip6tables -A FORWARD -i tun6to4 -p tcp --syn -j DROP
Note that even ip6tables needed a hand to find its own libraries, via LD_LIBRARY_PATH. The ip6tables had to be called by full path, because startup scripts don't receive the complete PATH (with /jffs, /opt etc. as we have at prompt).
Time to buy a new router, to install OpenWRT and mess with it, leaving this Asus router alone, so I have a backup access point when I mess up with the other :)
UPDATE: I discovered that above ip6tables firewall was not working. The first rule works well, but the second does not; it is some bug related to -p tcp, it does not recognize TCP packets as such. The first rule works because we block everything. It may be caused by ip6tables vesrion mismatch, or may be a kernel 2.4 bug. The only remedy is to disable 6to4 when it is not absolutely needed, until I buy another router (kernel 2.6 capable).