[Firewall] Some questions regarding IPv6/IPv4 dual stack

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Oct 28 16:50:17 CET 2013


Hi Gustin,

First, I assume you had a typo and meant:
--
INET_FORWARD_TCP="::/0>2001:1234:b:11c:aaaa:bbbb:cccc:dddd~22,443"
--
BTW, "0/0" will work equally well as "::/0"

Your setup looks very similar to mine, your AIF configuration looks good to me.  Try...

$ ip6tables -nvL EXT_FORWARD_IN_CHAIN

and see if you are getting any 'hits' on your INET_FORWARD_TCP rules.

Question, is the (phony) 2001:1234:b:11c::/64 prefix assigned on one of the AIF box's interfaces or is it "hidden" downstream ?  If so you need a static route on the AIF box on how to reach the 2001:1234:b:11c::/64 network.  Something like:
--
ip -6 route add 2001:1234:b:11c::1/64 via 2001:1234:b:a::2 dev eth1 metric 1
--
Do you have a /64 or /48 prefix from your provider ?

My guess you have a routing issue, your AIF config looks good at first blush.

Lonnie



On Oct 27, 2013, at 5:23 PM, Gustin Johnson wrote:

> I now have an IPv6 tunnel and I am able to connect out from LAN computers via IPv6.  The problem is the return path.  I would to allow ssh and https to a couple of hosts as well as ICMP (protocol 58 for IPv6) for the entire subnet.
> 
> What I have done so far is to put entries in  INET_FORWARD_TCP and INET_FORWARD_IP.  I have put some examples below (with example IPs, not my actual ones) because I can't seem to figure out why it is not working.  Any help with the syntax would be appreciated.  
> 
> INET_FORWARD_TCP="::/0>2001:1234:b:11c:aaaa:bbbb:cccc:dddd~22,443>
> INET_FORWARD_IP="::/0>2001:1234:b:11c::/64~58"
> 
> I also have my tunnel interface listed in the EXT_IF (this was needed to get outbound access, which makes sense).  I also have radvd configured and seemingly working correctly.  
> 
> Thanks,
> __ 
> Gustin




More information about the Firewall mailing list