I finally got an ISP connection with working IPv6 and now I need to add firewall rules for forwarding connections from my LAN to the WAN. I'm using firewalld to handle the high-level description that gets translated to iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target doesn't make sense. But I want similar connection logic, with no inbound connections allowed to LAN clients and all outbound connections allowed. How does one express this in either firewalld or its ip6tables "direct rules"?
I don't currently need port-forwarding to internal servers but, for completeness, what would such rules look like?
On Tue, May 26, 2020 at 11:55:40AM -0700, Kenneth Porter wrote:
I finally got an ISP connection with working IPv6 and now I need to add firewall rules for forwarding connections from my LAN to the WAN. I'm using firewalld to handle the high-level description that gets translated to iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target doesn't make sense.
Correct. Likely you don't want to NAT IPv6.
But I want similar connection logic, with no inbound connections allowed to LAN clients and all outbound connections allowed. How does one express this in either firewalld or its ip6tables "direct rules"?
At present firewalld does the same amount of forward blocking for IPv4 and IPv6. By default it allows outbound IPv4/IPv6, but inbound is filtered out with some exceptions. See section about --set-target in man page firewall-cmd(1).
You need forward filtering (iptables filter table FORWARD chain) to allow services/port/etc. to internal servers/VM/containers. This is currently in development for firewalld. I'm hoping it makes the next feature release.
I don't currently need port-forwarding to internal servers but, for completeness, what would such rules look like?
Nothing. Filtering/blocking IPv6 is already occurring.
I found this rule would let packets pass:
firewall-cmd --permanent --direct --add-rule ipv6 filter FWDO_external_allow 0 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
(external is the zone with the WAN-facing interface.)
I can now send a ping from a LAN client (Windows 10) but it times out. I've disabled the WIndows firewall for testing to remove that variable.
However, tcpdump shows neighbor solicitations going out to the LAN client but no replies (neighbor announcement), so it has no place to send the replies from the Internet site being pinged. I'm trying to track down the problem there.
IPv4 pings to the same site work fine. I saved my iptables and ip6tables rules to files and diff'd them and don't see a difference now except for the different kinds of icmp used for error replies.
On Tue, May 26, 2020 at 03:26:28PM -0700, Kenneth Porter wrote:
I found this rule would let packets pass:
firewall-cmd --permanent --direct --add-rule ipv6 filter FWDO_external_allow 0Â -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
(external is the zone with the WAN-facing interface.)
I can now send a ping from a LAN client (Windows 10) but it times out. I've disabled the WIndows firewall for testing to remove that variable.
However, tcpdump shows neighbor solicitations going out to the LAN client but no replies (neighbor announcement), so it has no place to send the replies from the Internet site being pinged. I'm trying to track down the problem there.
You probably need to allow IPv6 ICMP ND types explicitly. Both in IN_external_allow and FWDI_external_allow. At least these IPv6 ICMP types:
- neighbour-solicitation - neighbour-advertisement - router-advertisement - redirect
IPv4 pings to the same site work fine. I saved my iptables and ip6tables rules to files and diff'd them and don't see a difference now except for the different kinds of icmp used for error replies.
Probably because ARP works. Firewalld does not block ARP as it's not really an IP packet.
firewalld-users@lists.fedorahosted.org