Allow traffic through a firewall to a dynamic IPv6 address

9

1

Suppose I have this configuration on IPv4 right now:

My router (a Linux box) is connected to the Internet on eth0 and my LAN on eth1. I want to forward port 80 to 10.1.2.3. Here's how I'd currently do that:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to 10.1.2.3 iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

Now I want to do the equivalent on IPv6. Suppose I have the same configuration as before, with these changes:

My ISP gives my router the range 2001:db8:aaaa::/64 via prefix delegation. My router takes 2001:db8:aaaa::1 for itself on eth1 and gives 2001:db8:aaaa::123 to the host that I want port 80 open on.

NAT is no longer necessary in the IPv6 case, so all I need is a firewall rule to allow the traffic. Here's the rule I can think of to do that:

ip6tables -A FORWARD -i eth0 -d 2001:db8:aaaa::123 -p tcp -m tcp --dport 80 -j ACCEPT

The problem I have with this is that I had to hardcode 2001:db8:aaaa::123 into my firewall rule, and the 2001:db8:aaaa:: prefix is subject to change at my ISP's whim. In the IPv4 world, the only IP that I had to hardcode was an internal one, so I knew it would never get changed out from under me. Is there any way I can allow traffic like this without having to modify a rule every time my ISP changes my delegated prefix? (If pf can do what I want but ip6tables can't, I'd be willing to switch to BSD for it.)

Joseph Sible-Reinstate Monica

Posted 2017-02-22T02:57:05.093

Reputation: 1 420

Downvote because unless you start out with an IPv6 address in the first place there is a protocol disconnect. – SDsolar – 2017-02-22T03:07:05.740

2@SDsolar I'm not sure what you mean. – Joseph Sible-Reinstate Monica – 2017-02-22T04:48:38.090

Answers

0

While there's no dedicated option, you can use the generic u32 iptables module (see iptables-extensions) to match just the interface ID part (which always starts at byte 32 of IP header):

-A FORWARD -m u32 --u32 "32 = 0x11223344 && 36 = 0xAABBCCDD" -j ACCEPT

This would match any destination address ending with :1122:3344:aabb:ccdd.

In IPv6 headers, the source address starts at byte 8 (network at 8, interface at 16); the destination address is at 24 (network at 24, interface at 32). You can use bitwise operations to implement things like CIDR mask matching in u32 as well.

user1686

Posted 2017-02-22T02:57:05.093

Reputation: 283 655

This, in concert with DHCPv6 to get predictable local addresses. SLAAC can do whatever it want, after all. – Daniel B – 2017-02-22T07:51:28.827

So can DHCPv6. There's no rule saying that the DHCP server can't issue 15-minute leases and promptly forget about them the next day. – user1686 – 2017-02-22T08:21:08.813

Yes of course. However, it’s the DHCP server that decides, not the client. In that regard, it is “predictable”. – Daniel B – 2017-02-22T10:55:43.587

4Couldn't I just use the syntax ”-A FORWARD -d ::1122:3344:aabb:ccdd/::ffff:ffff:ffff:ffff -j ACCEPT" for that? I did a quick test and it seems to do the same as your solution. Also, this solution means I'm ignoring the network part altogether now. Couldn't this become a problem if it ends up matching something like a multicast or a private address that happens to have the same ending? – Joseph Sible-Reinstate Monica – 2017-02-22T17:04:49.820

Ah, yes, I suppose you could. I keep forgetting that -d uses masks, not prefix lengths. – user1686 – 2017-02-22T19:59:57.380

@JosephSible: Your comment solved the issue for me, you should post it as an answer and mark it as the accepted solution! – Malvineous – 2017-11-05T00:13:10.793

@Malvineous I don't consider it a complete solution, since it isn't restricted to matching the correct network part. – Joseph Sible-Reinstate Monica – 2017-11-05T21:25:04.793

3@JosephSible: You could still post it as an answer so it stands out, and list any shortcomings there - answers don't need to be perfect, that's why there's room for more than one answer! I think for the most common situations (e.g. home networks) your solution will work just fine, because sure you might forward more traffic than you expect, but there likely won't be any hosts listening on those extra IPs. If there are issues with this solution, an answer is a great place to list them all for everyone's benefit! – Malvineous – 2017-11-06T07:07:21.157

Asked: 2017-02-22T02:57:05.093

Viewed: 1 331 times

Active: 2017-02-22T08:23:39.737