[Shorewall-users] NPTv6

Hi,

it is possible to use NPTv6 for a multi-homing setup with shorewall6?

Tom Eastep

2016-12-26 17:01:41 UTC

Post by Luke Jordan
Hi,
it is possible to use NPTv6 for a multi-homing setup with
shorewall6?

Sure.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Luke Jordan

2016-12-26 17:59:43 UTC

Post by Luke Jordan
it is possible to use NPTv6 for a multi-homing setup with
shorewall6?

Sure.

really? wow ... documentation?

Tom Eastep

2016-12-26 19:24:45 UTC

Post by Luke Jordan
it is possible to use NPTv6 for a multi-homing setup with
shorewall6?

Sure.

really? wow ... documentation?

How do you plan to configure NTP? Peer running on the Firewall system?
In broadcast mode or will the local systems be configured to use that
peer?

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tuomo Soini

2016-12-26 20:33:54 UTC

On Mon, 26 Dec 2016 08:15:49 +0100

Post by Luke Jordan
Hi,
it is possible to use NPTv6 for a multi-homing setup with shorewall6?

What do you mean with NPTv6 ?

--
Tuomo Soini <***@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

Tom Eastep

2016-12-26 21:04:10 UTC

On Mon, 26 Dec 2016 08:15:49 +0100 Luke Jordan

Post by Luke Jordan
Hi,
it is possible to use NPTv6 for a multi-homing setup with
shorewall6?

What do you mean with NPTv6 ?

I assumed he meant NTPv4 over IPv6.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Simon Hobson

2016-12-26 21:12:47 UTC

Post by Tuomo Soini
What do you mean with NPTv6 ?

I assume he wants to use NPT (Network Prefix Translation) to avoid the complications of multihoming systems with multiple IPv6 providers.

Tom Eastep

2016-12-26 21:44:51 UTC

Post by Simon Hobson

Post by Tuomo Soini
What do you mean with NPTv6 ?

I assume he wants to use NPT (Network Prefix Translation) to avoid
the complications of multihoming systems with multiple IPv6
providers.

Bit of dyslexia on my part then.

My personal approach to multiple IPv6 providers is to assign my local
networks prefixes delegated from one of my provider's routers and
simply use SNAT when sending traffic out of the other provider. That
is stateful and supports problem protocols like FTP.

In Netfilter, NPT is stateless, so it is a pain to use. There is
therefore no formal support for NPT in Shorewall6 (the
shorewall6-netmap(5) file is no longer usable since the Netfilter
rawpost table has been removed). It is possible to configure NTP in
shorewall-mangle(5) (assuming that your kernel and ip6tables support
the SNPT and DNPT targets) but there is currently no documentation for
how to do that.

A brief outline of what is required:

Add SNTP and DNPT as a builtin actions in /etc/shorewall6/actions:

SNPT builtin,mangle,terminating
DNPT builtin,mangle,terminating

To configure DNPT in the shorewall6/mangle file:

IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx <prefix/length> ):P ...

and to configure SNPT:

IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs <prefix/length> ):T ...

See iptables-extensions(8) for additional information on SNPT and
DNPT. In particular, you must disable connection tracking for the
translated flows in shorewall-conntrack(5).

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep

2016-12-26 22:03:37 UTC

Post by Simon Hobson

Post by Tuomo Soini
What do you mean with NPTv6 ?

I assume he wants to use NPT (Network Prefix Translation) to
avoid the complications of multihoming systems with multiple
IPv6 providers.

Correction. If you have kernel version 3.7 or later, then stateful
network mapping is available in Netfilter. It *should* be available
using the shorewall6-netmap(5) file (by omitting the trailing P, O, or
T after SNAT or DNAT), but I must confess that I have not tested it.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Luke Jordan

2017-01-07 16:35:26 UTC

Post by Simon Hobson
I assume he wants to use NPT (Network Prefix Translation) to avoid
the complications of multihoming systems with multiple IPv6
providers.

this is correct.

i wish to have a solution to use two providers with different
ipv6-prefixes with the option to say use provider A for particular
destinations and provider B for all other destinations.

in shorewall (for ipv4) this works without problems with mangle.

Post by Tom Eastep
Bit of dyslexia on my part then.
My personal approach to multiple IPv6 providers is to assign my local
networks prefixes delegated from one of my provider's routers and
simply use SNAT when sending traffic out of the other provider. That
is stateful and supports problem protocols like FTP.

can you give me an configuration example for this?

Post by Tom Eastep
In Netfilter, NPT is stateless, so it is a pain to use. There is
therefore no formal support for NPT in Shorewall6 (the
shorewall6-netmap(5) file is no longer usable since the Netfilter
rawpost table has been removed). It is possible to configure NTP in
shorewall-mangle(5) (assuming that your kernel and ip6tables support
the SNPT and DNPT targets) but there is currently no documentation for
how to do that.
SNPT builtin,mangle,terminating
DNPT builtin,mangle,terminating
IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx <prefix/length> ):P ...
IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs <prefix/length> ):T ...
See iptables-extensions(8) for additional information on SNPT and
DNPT. In particular, you must disable connection tracking for the
translated flows in shorewall-conntrack(5).

it doesn't work:

/etc/shorewall6/mangle:
MARK(768):P eth0 - tcp 22,47238,52486 # ssh traffic by dsl
MARK(512):P eth0 - - - # other traffic by cbl

IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P eth0 - - -

IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx
2001:XXXX:YYYY:100::/64 ):P eth0 - - -

result:

Checking /etc/shorewall6/mangle...
ERROR: Invalid ACTION (IP6TABLES(DNPT --src-pfx
2001:XXXX:YYYY:100::/64 --dst-pfx fdae:fa7:dead:beef::/64 ):P)
/etc/shorewall6/mangle (line 18)

fdae:fa7:dead:beef::/64 is the local network, 2001:XXXX:YYYY:100::/64
the network of a provider.

Tom Eastep

2017-01-07 17:11:43 UTC

Post by Tom Eastep
My personal approach to multiple IPv6 providers is to assign my
local networks prefixes delegated from one of my provider's
routers and simply use SNAT when sending traffic out of the other
provider. That is stateful and supports problem protocols like
FTP.

can you give me an configuration example for this?

I have two providers, IPv6Beta and HE.

/etc/shorewall6/shorewall6.conf:

USE_DEFAULT_RT=Yes

/etc/shorewall6/providers:

IPv6Beta 1 0x100 - eth0 fe80::22e5:2aff:feb7:f2cf\
track,primary,loose,persistent
HE 2 0x200 - sit1 - track,fallback,persistent

Most local networks have IPv6 addresses delegated by the router on
eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of eth0)

I have one local network that has addresses routed via sit1
(2001:470:b:227::/64). The IP address of sit1 is 2001:470:a:227::2

/etc/shorewall6/snat:

SNAT(&sit1) 2601:601:8b00:bf0::/60 sit1
SNAT(&eth0) 2001:470:b:227::/64,2001:470:a:227::2 eth0

When I was running a version of Shorewall that still used the masq
file, the corresponding entries were:

sit1 2601:601:8b00:bf0::/60 &sit1
IPv6Beta 2001:470:b:227::/64,2001:470:a:227::2 &eth0

/etc/shorewall6/rtrules:

2001:470:B:227::/64 ::/0 HE 11000
2601:601:8b00:bf0::/60 ::/0 IPv6Beta 11000

Post by Tom Eastep
In Netfilter, NPT is stateless, so it is a pain to use. There is
therefore no formal support for NPT in Shorewall6 (the
shorewall6-netmap(5) file is no longer usable since the
Netfilter rawpost table has been removed). It is possible to
configure NTP in shorewall-mangle(5) (assuming that your kernel
and ip6tables support the SNPT and DNPT targets) but there is
currently no documentation for how to do that.
Add SNTP and DNPT as a builtin actions in
SNPT builtin,mangle,terminating DNPT builtin,mangle,terminating
IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx
<prefix/length> ):P ...
IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs
<prefix/length> ):T ...
See iptables-extensions(8) for additional information on SNPT
and DNPT. In particular, you must disable connection tracking for
the translated flows in shorewall-conntrack(5).

/etc/shorewall6/mangle: MARK(768):P eth0 - tcp 22,47238,52486 #
ssh traffic by dsl MARK(512):P eth0 - - - # other traffic by
cbl
IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P eth0 - - -
IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx
2001:XXXX:YYYY:100::/64 ):P eth0 - - -
Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION
(IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18)
fdae:fa7:dead:beef::/64 is the local network,
2001:XXXX:YYYY:100::/64 the network of a provider.

Did you add DNPT as a nat builtin action in /etc/shorewall6/actions?

- -Tom

- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep

2017-01-07 17:23:58 UTC

Post by Luke Jordan
/etc/shorewall6/mangle: MARK(768):P eth0 - tcp 22,47238,52486
# ssh traffic by dsl MARK(512):P eth0 - - - # other traffic
by cbl
IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P eth0 - - -
IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx
2001:XXXX:YYYY:100::/64 ):P eth0 - - -
Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION
(IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18)
fdae:fa7:dead:beef::/64 is the local network,
2001:XXXX:YYYY:100::/64 the network of a provider.

Did you add DNPT as a nat builtin action in
/etc/shorewall6/actions?

Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't expect
IPv6 addresses in the action parameters :-(

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep

2017-01-07 17:38:17 UTC

Post by Luke Jordan
/etc/shorewall6/mangle: MARK(768):P eth0 - tcp
22,47238,52486 # ssh traffic by dsl MARK(512):P eth0 - - -
# other traffic by cbl
IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P eth0 - - -
IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx
2001:XXXX:YYYY:100::/64 ):P eth0 - - -
Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION
(IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18)
fdae:fa7:dead:beef::/64 is the local network,
2001:XXXX:YYYY:100::/64 the network of a provider.

Did you add DNPT as a nat builtin action in
/etc/shorewall6/actions?

I meant 'mangle' rather than 'nat'.

Post by Tom Eastep
Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't
expect IPv6 addresses in the action parameters :-(

You can work around the problem by fully expressing the IP addresses
(e.g., 2001:XXXX:YYYY:100:0:0:0:0/64).

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Luke Jordan

2017-01-07 18:19:33 UTC

Post by Tom Eastep
Did you add DNPT as a nat builtin action in
/etc/shorewall6/actions?

I meant 'mangle' rather than 'nat'.

sure

# shorewall6 show actions
A_AllowICMPs # Audited Accept needed ICMP6 types
A_Drop # Audited Default Action for DROP policy
allowBcasts # Accept multicast and anycast packets
AllowICMPs # Accept needed ICMP6 types
allowInvalid inline # Accepts packets in the INVALID conntrack state
A_Reject # Audited Default Action for REJECT policy
AutoBLL noinline # Helper for AutoBL
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
Broadcast noinline # Handles Broadcast/Multicast/Anycast
DNPT builtin,mangle,terminating
dropBcasts # Silently Drop multicast and anycast
packets
Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state
dropNotSyn # Silently Drop Non-syn TCP packets
DropSmurfs noinline # Handles packets with a broadcast source address
Established inline,\ # Handles packets in the ESTABLISHED state
IfEvent noinline # Perform an action based on an event
Invalid inline,audit,\ # Handles packets in the INVALID
conntrack state
New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
rejNotSyn # Silently Reject Non-syn TCP packets
Related inline,\ # Handles packets in the RELATED conntrack state
ResetEvent inline # Reset an Event
RST inline # Handle packets with RST set
SetEvent inline # Initialize an event
SNPT builtin,mangle,terminating
TCPFlags # Handles bad flags combinations
Untracked inline,\ # Handles packets in the UNTRACKED
conntrack state

Post by Tom Eastep
Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't
expect IPv6 addresses in the action parameters :-(

You can work around the problem by fully expressing the IP addresses
(e.g., 2001:XXXX:YYYY:100:0:0:0:0/64).

this workaround show a new problem:

# shorewall6 start
[...]
Preparing ip6tables-restore input...
Running /sbin/ip6tables-restore ...
ip6tables-restore: line 34 failed
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall6/.ip6tables-restore-input
Preparing ip6tables-restore input...
Running /sbin/ip6tables-restore...
Terminated

line 32 is "COMMIT"

# cat /var/lib/shorewall6/.ip6tables-restore-input
#
# Generated by Shorewall 5.0.14.1 - Sa 7. Jan 19:13:28 CET 2017
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-mark 0/0xff00
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
-A tcpre -p 6 -m multiport --dports 22,47238,52486 -i eth0 -j MARK
--set-mark 768
-A tcpre -i eth0 -j MARK --set-mark 512
-A tcpre -i eth0 -j DNPT --src-pfx 2001:XXXX:YYYY:100:0:0:0:0/64
--dst-pfx fdae:fa7:dead:beef:0:0:0:0/64
-A tcpre -i eth0 -j SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64
--dst-pfx 2001:XXXX:YYYY:100:0:0:0:0/64
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:AllowICMPs - [0:0]
:Broadcast - [0:0]
:Reject - [0:0]
:cbl-dsl - [0:0]
:cbl-fw - [0:0]
:cbl-int - [0:0]
:cbl_frwd - [0:0]
:dsl-cbl - [0:0]
:dsl-fw - [0:0]
:dsl-int - [0:0]
:dsl_frwd - [0:0]
:dynamic - [0:0]
:fw-cbl - [0:0]
:fw-dsl - [0:0]
:fw-int - [0:0]
:int-cbl - [0:0]
:int-dsl - [0:0]
:int-fw - [0:0]
:int_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:tcpflags - [0:0]
:sha-lh-780b52025322fe413b49 - [0:0]
:sha-rh-88253ba662f5e71f112e - [0:0]
-A INPUT -i eth1 -j dsl-fw
-A INPUT -i eth2 -j cbl-fw
-A INPUT -i eth0 -j int-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-level 6 --log-prefix "Shorewall:INPUT:REJECT:"
-A INPUT -g reject
-A FORWARD -i eth1 -j dsl_frwd
-A FORWARD -i eth2 -j cbl_frwd
-A FORWARD -i eth0 -j int_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:"
-A FORWARD -g reject
-A OUTPUT -o eth1 -j fw-dsl
-A OUTPUT -o eth2 -j fw-cbl
-A OUTPUT -o eth0 -j fw-int
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:REJECT:"
-A OUTPUT -g reject
-A AllowICMPs -p 58 --icmpv6-type 1 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 2 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 3 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 4 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 133 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 134 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 135 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 136 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 137 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 141 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 142 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 130 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 131 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 132 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 143 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 148 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -p 58 --icmpv6-type 149 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 151 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 152 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 153 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)"
-A Broadcast -d 2001:XXXX:YYYY:0:: -j DROP
-A Broadcast -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP
-A Broadcast -d 2a02:XXXX:YYYY:f972:: -j DROP
-A Broadcast -d 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP
-A Broadcast -d ff00::/8 -j DROP
-A Reject
-A Reject -p 58 -j AllowICMPs
-A Reject -j Broadcast
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p 17 -m multiport --dports 135,445 -g reject -m comment
--comment "SMB"
-A Reject -p 17 --dport 137:139 -g reject -m comment --comment "SMB"
-A Reject -p 17 --dport 1024:65535 --sport 137 -g reject -m comment
--comment "SMB"
-A Reject -p 6 -m multiport --dports 135,139,445 -g reject -m comment
--comment "SMB"
-A Reject -p 17 --dport 1900 -j DROP -m comment --comment "UPnP"
-A Reject -p 6 ! --syn -j DROP
-A Reject -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies"
-A cbl-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A cbl-dsl -j Reject
-A cbl-dsl -j LOG --log-level 6 --log-prefix "Shorewall:cbl-dsl:REJECT:"
-A cbl-dsl -g reject
-A cbl-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A cbl-fw -p tcp -j tcpflags
-A cbl-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A cbl-fw -j Reject
-A cbl-fw -j LOG --log-level 6 --log-prefix "Shorewall:cbl-fw:REJECT:"
-A cbl-fw -g reject
-A cbl-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A cbl-int -j Reject
-A cbl-int -j LOG --log-level 6 --log-prefix "Shorewall:cbl-int:REJECT:"
-A cbl-int -g reject
-A cbl_frwd -o eth2 -g sfilter
-A cbl_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A cbl_frwd -p tcp -j tcpflags
-A cbl_frwd -o eth1 -j cbl-dsl
-A cbl_frwd -o eth0 -j cbl-int
-A dsl-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A dsl-cbl -j Reject
-A dsl-cbl -j LOG --log-level 6 --log-prefix "Shorewall:dsl-cbl:REJECT:"
-A dsl-cbl -g reject
-A dsl-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A dsl-fw -p tcp -j tcpflags
-A dsl-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A dsl-fw -p 58 -j ACCEPT
-A dsl-fw -j Reject
-A dsl-fw -j LOG --log-level 6 --log-prefix "Shorewall:dsl-fw:REJECT:"
-A dsl-fw -g reject
-A dsl-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A dsl-int -j Reject
-A dsl-int -j LOG --log-level 6 --log-prefix "Shorewall:dsl-int:REJECT:"
-A dsl-int -g reject
-A dsl_frwd -o eth1 -g sfilter
-A dsl_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A dsl_frwd -p tcp -j tcpflags
-A dsl_frwd -o eth2 -j dsl-cbl
-A dsl_frwd -o eth0 -j dsl-int
-A fw-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw-cbl -j LOG --log-level 6 --log-prefix "Shorewall:fw-cbl:ACCEPT:"
-A fw-cbl -j ACCEPT
-A fw-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw-dsl -j LOG --log-level 6 --log-prefix "Shorewall:fw-dsl:ACCEPT:"
-A fw-dsl -j ACCEPT
-A fw-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw-int -p 58 -j ACCEPT
-A fw-int -j LOG --log-level 6 --log-prefix "Shorewall:fw-int:ACCEPT:"
-A fw-int -j ACCEPT
-A int-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A int-cbl -j LOG --log-level 6 --log-prefix "Shorewall:int-cbl:ACCEPT:"
-A int-cbl -j ACCEPT
-A int-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A int-dsl -j LOG --log-level 6 --log-prefix "Shorewall:int-dsl:ACCEPT:"
-A int-dsl -j ACCEPT
-A int-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A int-fw -p tcp -j tcpflags
-A int-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A int-fw -j LOG --log-level 6 --log-prefix "Shorewall:int-fw:ACCEPT:"
-A int-fw -j ACCEPT
-A int_frwd -o eth0 -g sfilter
-A int_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A int_frwd -p tcp -j tcpflags
-A int_frwd -o eth1 -j int-dsl
-A int_frwd -o eth2 -j int-cbl
-A logdrop -j DROP
-A logflags -j LOG --log-ip-options --log-level 6 --log-prefix
"Shorewall:logflags:DROP:"
-A logflags -j DROP
-A logreject -j reject
-A reject -d 2001:XXXX:YYYY:0:: -j DROP
-A reject -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP
-A reject -d 2a02:XXXX:YYYY:f972:: -j DROP
-A reject -d 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP
-A reject -s ff00::/8 -j DROP
-A reject -p 2 -j DROP
-A reject -p 6 -j REJECT --reject-with tcp-reset
-A reject -p 17 -j REJECT
-A reject -p 58 -j REJECT --reject-with icmp6-addr-unreachable
-A reject -j REJECT --reject-with icmp6-adm-prohibited
-A sfilter -j LOG --log-level 6 --log-prefix "Shorewall:sfilter:DROP:"
-A sfilter -j DROP
-A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags
-A tcpflags -p tcp --tcp-flags ALL NONE -g logflags
-A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -g logflags
-A tcpflags -p tcp --tcp-flags ACK,PSH,FIN PSH,FIN -g logflags
-A tcpflags -p tcp --syn --sport 0 -g logflags
COMMIT

# dmesg
[...]
[5944577.629325] xt_addrtype: ipv6 does not support BROADCAST matching
[5944579.777435] x_tables: ip6_tables: SNPT target: used from hooks
PREROUTING, but only usable from INPUT/POSTROUTING

the problem is the following line in /etc/shorewall6/mangle:

IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx
2001:XXXX:YYYY:100:0:0:0:0/64 ):P

Tom Eastep

2017-01-07 20:30:16 UTC

Post by Tom Eastep
Did you add DNPT as a nat builtin action in
/etc/shorewall6/actions?

I meant 'mangle' rather than 'nat'.

sure
# shorewall6 show actions A_AllowICMPs # Audited
Accept needed ICMP6 types A_Drop # Audited
Default Action for DROP policy allowBcasts #
Accept multicast and anycast packets AllowICMPs
# Accept needed ICMP6 types allowInvalid inline # Accepts packets
in the INVALID conntrack state A_Reject # Audited
Default Action for REJECT policy AutoBLL noinline #
Helper for AutoBL AutoBL noinline # Auto-blacklist
IPs that exceed thesholds Broadcast noinline # Handles
Broadcast/Multicast/Anycast DNPT builtin,mangle,terminating
dropBcasts # Silently Drop multicast and
anycast packets Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack
state dropNotSyn # Silently Drop Non-syn TCP packets
DropSmurfs noinline # Handles packets with a broadcast
source address Established inline,\ # Handles packets in the
ESTABLISHED state IfEvent noinline # Perform an
action based on an event Invalid inline,audit,\ # Handles
packets in the INVALID conntrack state New inline,state=NEW #
Handles packets in the NEW conntrack state NotSyn inline #
Handles TCP packets that do not have SYN=1 and ACK=0 Reject
# Default Action for REJECT policy rejNotSyn # Silently
Reject Non-syn TCP packets Related inline,\ # Handles packets
in the RELATED conntrack state ResetEvent inline # Reset an
Event RST inline # Handle packets with RST set
SetEvent inline # Initialize an event SNPT
builtin,mangle,terminating TCPFlags # Handles bad flags
combinations Untracked inline,\ # Handles packets in
the UNTRACKED conntrack state

Post by Tom Eastep
Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't
expect IPv6 addresses in the action parameters :-(

You can work around the problem by fully expressing the IP
addresses (e.g., 2001:XXXX:YYYY:100:0:0:0:0/64).

# shorewall6 start [...] Preparing ip6tables-restore input...
Running /sbin/ip6tables-restore ... ip6tables-restore: line 34
failed ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall6/.ip6tables-restore-input Preparing
ip6tables-restore input... Running /sbin/ip6tables-restore...
Terminated
line 32 is "COMMIT"
# cat /var/lib/shorewall6/.ip6tables-restore-input # # Generated by
Shorewall 5.0.14.1 - Sa 7. Jan 19:13:28 CET 2017 # *raw :PREROUTING
ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT
[0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT
*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD
ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor
- [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre -
[0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK
--set-mark 0/0xff00 -A FORWARD -j tcfor -A OUTPUT -j tcout -A
POSTROUTING -j tcpost -A tcpre -p 6 -m multiport --dports
22,47238,52486 -i eth0 -j MARK --set-mark 768 -A tcpre -i eth0 -j
MARK --set-mark 512 -A tcpre -i eth0 -j DNPT --src-pfx
2001:XXXX:YYYY:100:0:0:0:0/64 --dst-pfx
fdae:fa7:dead:beef:0:0:0:0/64 -A tcpre -i eth0 -j SNPT --src-pfx
fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx
2001:XXXX:YYYY:100:0:0:0:0/64 COMMIT *filter :INPUT DROP [0:0]
:FORWARD DROP [0:0] :OUTPUT DROP [0:0] :AllowICMPs - [0:0]
:Broadcast - [0:0] :Reject - [0:0] :cbl-dsl - [0:0] :cbl-fw -
[0:0] :cbl-int - [0:0] :cbl_frwd - [0:0] :dsl-cbl - [0:0] :dsl-fw -
[0:0] :dsl-int - [0:0] :dsl_frwd - [0:0] :dynamic - [0:0] :fw-cbl -
[0:0] :fw-dsl - [0:0] :fw-int - [0:0] :int-cbl - [0:0] :int-dsl -
[0:0] :int-fw - [0:0] :int_frwd - [0:0] :logdrop - [0:0] :logflags
- [0:0] :logreject - [0:0] :reject - [0:0] :sfilter - [0:0]
:tcpflags - [0:0] :sha-lh-780b52025322fe413b49 - [0:0]
:sha-rh-88253ba662f5e71f112e - [0:0] -A INPUT -i eth1 -j dsl-fw -A
INPUT -i eth2 -j cbl-fw -A INPUT -i eth0 -j int-fw -A INPUT -i lo
-j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-level 6
--log-prefix "Shorewall:INPUT:REJECT:" -A INPUT -g reject -A
FORWARD -i eth1 -j dsl_frwd -A FORWARD -i eth2 -j cbl_frwd -A
FORWARD -i eth0 -j int_frwd -A FORWARD -j Reject -A FORWARD -j LOG
--log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:" -A FORWARD
-g reject -A OUTPUT -o eth1 -j fw-dsl -A OUTPUT -o eth2 -j fw-cbl
-A OUTPUT -o eth0 -j fw-int -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j
Reject -A OUTPUT -j LOG --log-level 6 --log-prefix
"Shorewall:OUTPUT:REJECT:" -A OUTPUT -g reject -A AllowICMPs -p 58
--icmpv6-type 1 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 2 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 3 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 4 -j ACCEPT -m comment
--comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 133 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 134 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 135 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 136 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 137 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 141 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 142 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 130 -j
ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A
AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 131 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s
fe80::/10 -p 58 --icmpv6-type 132 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58
--icmpv6-type 143 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 148 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58
--icmpv6-type 149 -j ACCEPT -m comment --comment "Needed ICMP types
(RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 151 -j
ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A
AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 152 -j ACCEPT -m
comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s
fe80::/10 -p 58 --icmpv6-type 153 -j ACCEPT -m comment --comment
"Needed ICMP types (RFC4890)" -A Broadcast -d 2001:XXXX:YYYY:0:: -j
DROP -A Broadcast -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j
DROP -A Broadcast -d 2a02:XXXX:YYYY:f972:: -j DROP -A Broadcast -d
2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A Broadcast -d
ff00::/8 -j DROP -A Reject -A Reject -p 58 -j AllowICMPs -A Reject
-j Broadcast -A Reject -m conntrack --ctstate INVALID -j DROP -A
Reject -p 17 -m multiport --dports 135,445 -g reject -m comment
--comment "SMB" -A Reject -p 17 --dport 137:139 -g reject -m
comment --comment "SMB" -A Reject -p 17 --dport 1024:65535 --sport
137 -g reject -m comment --comment "SMB" -A Reject -p 6 -m
multiport --dports 135,139,445 -g reject -m comment --comment
"SMB" -A Reject -p 17 --dport 1900 -j DROP -m comment --comment
"UPnP" -A Reject -p 6 ! --syn -j DROP -A Reject -p 17 --sport 53 -j
DROP -m comment --comment "Late DNS Replies" -A cbl-dsl -m
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-dsl -j
Reject -A cbl-dsl -j LOG --log-level 6 --log-prefix
"Shorewall:cbl-dsl:REJECT:" -A cbl-dsl -g reject -A cbl-fw -m
conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A cbl-fw -p
tcp -j tcpflags -A cbl-fw -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT -A cbl-fw -j Reject -A cbl-fw -j LOG
--log-level 6 --log-prefix "Shorewall:cbl-fw:REJECT:" -A cbl-fw -g
reject -A cbl-int -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT -A cbl-int -j Reject -A cbl-int -j LOG --log-level 6
--log-prefix "Shorewall:cbl-int:REJECT:" -A cbl-int -g reject -A
cbl_frwd -o eth2 -g sfilter -A cbl_frwd -m conntrack --ctstate
NEW,INVALID,UNTRACKED -j dynamic -A cbl_frwd -p tcp -j tcpflags -A
cbl_frwd -o eth1 -j cbl-dsl -A cbl_frwd -o eth0 -j cbl-int -A
dsl-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
dsl-cbl -j Reject -A dsl-cbl -j LOG --log-level 6 --log-prefix
"Shorewall:dsl-cbl:REJECT:" -A dsl-cbl -g reject -A dsl-fw -m
conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A dsl-fw -p
tcp -j tcpflags -A dsl-fw -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT -A dsl-fw -p 58 -j ACCEPT -A dsl-fw
-j Reject -A dsl-fw -j LOG --log-level 6 --log-prefix
"Shorewall:dsl-fw:REJECT:" -A dsl-fw -g reject -A dsl-int -m
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-int -j
Reject -A dsl-int -j LOG --log-level 6 --log-prefix
"Shorewall:dsl-int:REJECT:" -A dsl-int -g reject -A dsl_frwd -o
eth1 -g sfilter -A dsl_frwd -m conntrack --ctstate
NEW,INVALID,UNTRACKED -j dynamic -A dsl_frwd -p tcp -j tcpflags -A
dsl_frwd -o eth2 -j dsl-cbl -A dsl_frwd -o eth0 -j dsl-int -A
fw-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
fw-cbl -j LOG --log-level 6 --log-prefix
"Shorewall:fw-cbl:ACCEPT:" -A fw-cbl -j ACCEPT -A fw-dsl -m
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-dsl -j LOG
--log-level 6 --log-prefix "Shorewall:fw-dsl:ACCEPT:" -A fw-dsl -j
ACCEPT -A fw-int -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT -A fw-int -p 58 -j ACCEPT -A fw-int -j LOG --log-level 6
--log-prefix "Shorewall:fw-int:ACCEPT:" -A fw-int -j ACCEPT -A
int-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A
int-cbl -j LOG --log-level 6 --log-prefix
"Shorewall:int-cbl:ACCEPT:" -A int-cbl -j ACCEPT -A int-dsl -m
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-dsl -j LOG
--log-level 6 --log-prefix "Shorewall:int-dsl:ACCEPT:" -A int-dsl
-j ACCEPT -A int-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j
dynamic -A int-fw -p tcp -j tcpflags -A int-fw -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT -A int-fw -j LOG
--log-level 6 --log-prefix "Shorewall:int-fw:ACCEPT:" -A int-fw -j
ACCEPT -A int_frwd -o eth0 -g sfilter -A int_frwd -m conntrack
--ctstate NEW,INVALID,UNTRACKED -j dynamic -A int_frwd -p tcp -j
tcpflags -A int_frwd -o eth1 -j int-dsl -A int_frwd -o eth2 -j
int-cbl -A logdrop -j DROP -A logflags -j LOG --log-ip-options
--log-level 6 --log-prefix "Shorewall:logflags:DROP:" -A logflags
-j DROP -A logreject -j reject -A reject -d 2001:XXXX:YYYY:0:: -j
DROP -A reject -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP
-A reject -d 2a02:XXXX:YYYY:f972:: -j DROP -A reject -d
2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A reject -s
ff00::/8 -j DROP -A reject -p 2 -j DROP -A reject -p 6 -j REJECT
--reject-with tcp-reset -A reject -p 17 -j REJECT -A reject -p 58
-j REJECT --reject-with icmp6-addr-unreachable -A reject -j REJECT
--reject-with icmp6-adm-prohibited -A sfilter -j LOG --log-level 6
--log-prefix "Shorewall:sfilter:DROP:" -A sfilter -j DROP -A
tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags -A tcpflags
-p tcp --tcp-flags ALL NONE -g logflags -A tcpflags -p tcp
--tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp
--tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp
--tcp-flags SYN,FIN SYN,FIN -g logflags -A tcpflags -p tcp
--tcp-flags ACK,PSH,FIN PSH,FIN -g logflags -A tcpflags -p tcp
--syn --sport 0 -g logflags COMMIT
# dmesg [...] [5944577.629325] xt_addrtype: ipv6 does not support
BROADCAST matching [5944579.777435] x_tables: ip6_tables: SNPT
target: used from hooks PREROUTING, but only usable from
INPUT/POSTROUTING
IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx
2001:XXXX:YYYY:100:0:0:0:0/64 ):P

That should be :T, not :P

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Luke Jordan

2017-01-08 03:58:33 UTC

Post by Tom Eastep
That should be :T, not :P

sorry, my fail. with :t it is running.

Luke Jordan

2017-01-08 03:57:29 UTC

Post by Tom Eastep
I have two providers, IPv6Beta and HE.
USE_DEFAULT_RT=Yes
IPv6Beta 1 0x100 - eth0 fe80::22e5:2aff:feb7:f2cf\
track,primary,loose,persistent
HE 2 0x200 - sit1 - track,fallback,persistent
Most local networks have IPv6 addresses delegated by the router on
eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of eth0)
I have one local network that has addresses routed via sit1
(2001:470:b:227::/64). The IP address of sit1 is 2001:470:a:227::2
SNAT(&sit1) 2601:601:8b00:bf0::/60 sit1
SNAT(&eth0) 2001:470:b:227::/64,2001:470:a:227::2 eth0
When I was running a version of Shorewall that still used the masq
sit1 2601:601:8b00:bf0::/60 &sit1
IPv6Beta 2001:470:b:227::/64,2001:470:a:227::2 &eth0
2001:470:B:227::/64 ::/0 HE 11000
2601:601:8b00:bf0::/60 ::/0 IPv6Beta 11000

ok, npt is ugly because of stateless. it run's with shorewall, but is
really bad.

in shorewall (ipv4) i have a multi-homing setup with two providers.
depending on the /etc/shorewall/mangle the configuration which
destination (ip/port) should connect over which provider. an
/etc/shorewall/rtrules doesn't exists.

256 (0x100): Provider A
512 (0x200): Provider B

/etc/shorewall/mangle:
MARK(512):P 10.0.0.0/11 0.0.0.0/0 - -
MARK(256):P 10.0.0.0/11 0.0.0.0/0 tcp 22,47238,52486
MARK(256):P 10.0.0.0/11 1.1.1.1 tcp 80,443
MARK(256):P 10.0.0.0/11 2.2.2.2 tcp 80,443
MARK(256):P 10.0.0.0/11 3.3.3.3 - -
MARK(256):P 10.0.0.0/11 4.4.4.4 - -
MARK(256):P 10.1.2.1 5.5.5.5 - -

now i would like to have this for ipv6 with a internal prefix
(fdae:fa7:dead:beef::/64) and two provider-prefixes
(2001:aaaa:bbbb:100::/64 and 2a02:cccc:dddd:eeee::/64).

if is possible with your snat solution?
which other solutions (statefull) are possible?

Tom Eastep

2017-01-09 16:28:01 UTC

Post by Tom Eastep
I have two providers, IPv6Beta and HE.
USE_DEFAULT_RT=Yes
IPv6Beta 1 0x100 - eth0 fe80::22e5:2aff:feb7:f2cf\
track,primary,loose,persistent HE 2 0x200 - sit1 -
track,fallback,persistent
Most local networks have IPv6 addresses delegated by the router
on eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of
eth0)
I have one local network that has addresses routed via sit1
(2001:470:b:227::/64). The IP address of sit1 is
2001:470:a:227::2
SNAT(&sit1) 2601:601:8b00:bf0::/60 sit1
SNAT(&eth0) 2001:470:b:227::/64,2001:470:a:227::2 eth0
When I was running a version of Shorewall that still used the
sit1 2601:601:8b00:bf0::/60 &sit1 IPv6Beta
2001:470:b:227::/64,2001:470:a:227::2 &eth0
2001:470:B:227::/64 ::/0 HE 11000 2601:601:8b00:bf0::/60 ::/0
IPv6Beta 11000

ok, npt is ugly because of stateless. it run's with shorewall, but
is really bad.
in shorewall (ipv4) i have a multi-homing setup with two
providers. depending on the /etc/shorewall/mangle the configuration
which destination (ip/port) should connect over which provider. an
/etc/shorewall/rtrules doesn't exists.
256 (0x100): Provider A 512 (0x200): Provider B
/etc/shorewall/mangle: MARK(512):P 10.0.0.0/11 0.0.0.0/0 - -
MARK(256):P 10.0.0.0/11 0.0.0.0/0 tcp 22,47238,52486 MARK(256):P
10.0.0.0/11 1.1.1.1 tcp 80,443 MARK(256):P 10.0.0.0/11 2.2.2.2
tcp 80,443 MARK(256):P 10.0.0.0/11 3.3.3.3 - - MARK(256):P
10.0.0.0/11 4.4.4.4 - - MARK(256):P 10.1.2.1 5.5.5.5 - -
now i would like to have this for ipv6 with a internal prefix
(fdae:fa7:dead:beef::/64) and two provider-prefixes
(2001:aaaa:bbbb:100::/64 and 2a02:cccc:dddd:eeee::/64).
if is possible with your snat solution?

Yes. You do it the same way that you do it in IPv4.

Post by Luke Jordan
which other solutions (statefull) are possible?

There is stateful NETMAP available in Shorewall 5.1.0, but that
requires both upstream routers to delegate a subnet to the Shorewall
box (given how restricted proxy NDP is compared to proxy ARP).

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

Continue reading on narkive:

Search results for '[Shorewall-users] NPTv6' (Questions and Answers)

What is the most reliable news channel in the U.S.?

started 2009-07-31 13:54:48 UTC

media & journalism

Who are the top five enemies of the United Kingdom?

started 2008-04-06 18:15:03 UTC

government

Does anyoe know the website to visit santa, its something like NPTV?

started 2009-12-08 09:10:22 UTC

christmas