On Tue, May 26, 2020 at 11:55:40AM -0700, Kenneth Porter wrote:
I finally got an ISP connection with working IPv6 and now I need to add firewall rules for forwarding connections from my LAN to the WAN. I'm using firewalld to handle the high-level description that gets translated to iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target doesn't make sense.
Correct. Likely you don't want to NAT IPv6.
But I want similar connection logic, with no inbound connections allowed to LAN clients and all outbound connections allowed. How does one express this in either firewalld or its ip6tables "direct rules"?
At present firewalld does the same amount of forward blocking for IPv4 and IPv6. By default it allows outbound IPv4/IPv6, but inbound is filtered out with some exceptions. See section about --set-target in man page firewall-cmd(1).
You need forward filtering (iptables filter table FORWARD chain) to allow services/port/etc. to internal servers/VM/containers. This is currently in development for firewalld. I'm hoping it makes the next feature release.
I don't currently need port-forwarding to internal servers but, for completeness, what would such rules look like?
Nothing. Filtering/blocking IPv6 is already occurring.