[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Jason Stahls jason at justuscare.ca
Fri Mar 14 20:08:44 CET 2014


Lonnie,

This box's primary purpose is actually web/mail/db server, it is also 
the center of a PtMP OpenVPN network.

IPv4 is all off-net, each site uses their local provider for general 
Internet.  IPv6 is all allocated out of the /48 I get from my hosting 
provider so it's all routed back through the OpenVPN links and jumps to 
the rest of the Internet through this box.  I want to open 
22,25,53,80,ect for the computer on it's external interface but still 
block those ports forwarding through to the internal tun+ interface.  Do 
I do this via a NAT forward to one of the internal interface IP's, or a 
forward to the external interface, or? :)  I do have NAT enabled for 
PPTP clients (kinda round about but gets me on US Netflix) and I've set 
NAT_INTERNAL_NET to just the PPTP range.

Thanks,

Jason

On 3/14/2014 10:46 AM, Lonnie Abelbeck wrote:
> Jason,
>
> A couple more 'tips'...
>
> For IPv4 NAT Forwarding use:
>
> NAT_FORWARD_TCP (or _UDP or _IP)
>
> For IPv6 (or routed IPv4) Forwarding use:
>
> INET_FORWARD_TCP (or _UDP or _IP)
>
> "Any" Host values:
>
> 0.0.0.0/0 - Any IPv4 Address
>
> ::/0 - Any IPv6 Address
>
> 0/0 - Any IPv4 or IPv6 Address (unless source or destination is qualified as IPv4 or IPv6)
>
> Lonnie
>
>
> On Mar 14, 2014, at 9:23 AM, Wijatmoko U. Prayitno wrote:
>
>> Use variable HOST_OPEN_UDP or HOST_OPEN_TCP
>>
>> On Fri, 14 Mar 2014 10:18:44 -0400
>> Jason Stahls <jason at justuscare.ca> wrote:
>>
>>> I still haven't quite figured out what I've done, but I decided to
>>> start with a fresh config instead. How can I open ports for just the
>>> host? From my understanding of the comments using OPEN_TCP/UDP/IP
>>> will cause it to forward and not block those ports right?
>>>
>>> Thanks,
>>>
>>> Jason
>>>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list