[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Jason Stahls jason at justuscare.ca
Fri Mar 14 20:08:44 CET 2014


This box's primary purpose is actually web/mail/db server, it is also 
the center of a PtMP OpenVPN network.

IPv4 is all off-net, each site uses their local provider for general 
Internet.  IPv6 is all allocated out of the /48 I get from my hosting 
provider so it's all routed back through the OpenVPN links and jumps to 
the rest of the Internet through this box.  I want to open 
22,25,53,80,ect for the computer on it's external interface but still 
block those ports forwarding through to the internal tun+ interface.  Do 
I do this via a NAT forward to one of the internal interface IP's, or a 
forward to the external interface, or? :)  I do have NAT enabled for 
PPTP clients (kinda round about but gets me on US Netflix) and I've set 
NAT_INTERNAL_NET to just the PPTP range.



On 3/14/2014 10:46 AM, Lonnie Abelbeck wrote:
> Jason,
> A couple more 'tips'...
> For IPv4 NAT Forwarding use:
> For IPv6 (or routed IPv4) Forwarding use:
> "Any" Host values:
> - Any IPv4 Address
> ::/0 - Any IPv6 Address
> 0/0 - Any IPv4 or IPv6 Address (unless source or destination is qualified as IPv4 or IPv6)
> Lonnie
> On Mar 14, 2014, at 9:23 AM, Wijatmoko U. Prayitno wrote:
>> Use variable HOST_OPEN_UDP or HOST_OPEN_TCP
>> On Fri, 14 Mar 2014 10:18:44 -0400
>> Jason Stahls <jason at justuscare.ca> wrote:
>>> I still haven't quite figured out what I've done, but I decided to
>>> start with a fresh config instead. How can I open ports for just the
>>> host? From my understanding of the comments using OPEN_TCP/UDP/IP
>>> will cause it to forward and not block those ports right?
>>> Thanks,
>>> Jason
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

More information about the Firewall mailing list