OpenWRT IPv6 Firewall Redirect Port

Does anyone how to redirect an incoming port to another port for an IPv6 address in OpenWRT?

There is no NAT involved just an ordinary global IPv6 address.

What I am trying to do is change the port of SSH for a number of servers; redirecting an arbitrary port number to 22 internally. Whilst remaining on port 22 for the local network.

E.g. [2345::1]:5000 -> OpenWRT -> [2345::1]:22

When using the equivalent IPv4 NAT this configuration is very simple because the ports can easily be configured with port forwarding.

Many thanks

jacob_pro

Posted 2018-08-19T22:20:39.533

Reputation: 121

I'm not sure why you wouldn't just configure those servers to additionally listen on port 5000... – user1686 – 2018-08-19T22:42:59.130

^, and then simply block port 22 for WAN inbound connections. – confetti – 2018-08-19T23:19:18.817

yes that would be an alternative, but doing it once on the router is preferable to configuring many servers – jacob_pro – 2018-08-19T23:25:05.517

Answers

You can actually use the same DNAT-based port forwarding in Linux ip6tables as well. The main difference is that you don't change the destination address; on the other hand, you do need to match on the existing address.

-t nat -I PREROUTING -d 2345::1 -p tcp --dport 5000 -j DNAT --to-destination [2345::1]:22

Of course, with IPv6 you don't need SNAT-based masquerading, but that's a completely separate firewall rule to begin with, so it can be simply omitted.

I don't know how this translates to OpenWRT (except that you might need the kmod-ipt-nat6 package), but I suspect it's something like:

config redirect
    option family ipv6
    option src wan6
    option src_dip 2345::1
    option proto tcp
    option src_dport 5000
    option target DNAT
    option dest_ip 2345::1
    option dest_port 22

user1686

Posted 2018-08-19T22:20:39.533

Reputation: 283 655

thanks very much. I have installed kmod-ipt-nat6 and have been using the following command (i haven't got it working with the openwrt UCI config yet):

ip6tables -t nat -I PREROUTING -d IPV6_ADDRESS -p tcp --dport 5000 -j DNAT --to-destination [IPV6_ADDRESS ]:22

however it will only work if i also open port 22 from WAN to the device in the firewall - which leaves me stuck with the original problem of 22 being open. the redirect from 5000 is working - but how can I limit access to only 5000 and not 22 as well? – jacob_pro – 2018-08-20T23:12:31.547

as far as i can see "config redirect" is not supported for ipv6? https://github.com/openwrt/luci/issues/925

– jacob_pro – 2018-08-21T15:33:50.253

You can allow DNAT-ed connections to port 22 (first) and then DROP any NEW connections to port 22 in your FORWARD chain. – Tomek – 2018-08-21T21:04:16.943

It does not appear to currently be possible to use "config redirect" for IPv6 in OpenWRT's firewall 3.

However I was able to manually achieve it using the following rules:

ip6tables -t nat -I PREROUTING -d IPV6_ADDRESS_HERE -p tcp --dport 5000 -j DNAT --to-destination [IPV6_ADDRESS_HERE]:22 ip6tables -A zone_wan_input -m conntrack --ctstate DNAT -j ACCEPT ip6tables -A zone_wan_forward -m conntrack --ctstate DNAT -j zone_(ZONE_NAME)_dest_ACCEPT

jacob_pro

Posted 2018-08-19T22:20:39.533

Reputation: 121