dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6814
ipv6nat
join:2011-02-19

1 recommendation

ipv6nat

Member

[ipv6] IPv6 nat

HI,

I have a question concerning to internet sharing behind a firewall.

How could you do this if ipv6 doesn't support nat?

For the moment I am using ip6tables and linux but it has no "-t nat" so I can't route/share my internet with other computers.

So will it be 1 IPv6 address per computer so 1 modem per computer and 1 plug in the wall per computer?

Has anyone solved this problem yet?

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

Re: [ipv6] IPv6 nat

What problem ?

NAT was designed to solve the problem of the IPv4 address shortage. There is no technical reason why it would not be possible to do IPv6 NAT however there is simply no need for it.

IPv6 in its current form requires that the smallest block of addresses assigned to a customer is a /64 in order for stateless address auto configuration (and some other features) to work. That means that out of the total of 128 bits of an IPv6 address you have 64 bits available to address every networked piece of equipment in your home. To put this in the proper perspective consider that IPv4 has only 32 bits (or 4 billion addresses) for the entire Internet. You now have 4 billion times as many just for your home. Why would you need NAT when you have more IP addresses then you could ever use ?

If you want non-routable IPv6 addresses to be used internally only, check out ULA (Unique Local Addresses, RFC 4193) which are the IPv6 equivalent of private IPv4 addresses (RFC 1918). ULA has replaced site-local addresses (an obsoleted IPv6 feature).
ipv6nat
join:2011-02-19

1 recommendation

ipv6nat

Member

Thanks for your reply.

But the problem I was referring too is that of sharing internet connection behind a firewall.

For obvious reasons you would never wanna connect your computer directly to the internet.Therefore you use a firewall and than share connection behind it.

The problem isn't the nat but how do I share connection behind a firewall. Its firewall and computers behind it. But since ipv6 has no nat, correct? I can't. I know there are plenty of IPs, more than. But I can't protect my network or share connection behind it, behind the firewall.

So how do I share connection behind a firewall?

I hope you understand what I mean.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

Internet security with IPv6 is going to be different then what it was with IPv4. The main reason for this is that IPv4 NAT had the side-effect of providing some level of protection even in the absence of a dedicated firewall. However I expect that the default configuration for IPv6 firewalls will match the level of security provided by NAT (no restriction on outgoing traffic and everything except expected responses blocked on incoming traffic).

With NAT the security is provided by a router (a layer 3 network device). However even in IPv4 a firewall doesn't have to be a router node in the network. It is possible to have a so called transparent firewall that is physically located between the internal network and the Internet modem without performing any routing function (it appears as a layer 2 bridge on the network). This may be necessary in cases where the router doesn't have a firewall or additional security is desired.

With IPv6 it is likely that the CPE (customer premise equipment, e.g. cable or DSL modem) is performing routing and firewall functionality (just like many do today for IPv4). The CPE will have an ISP provided IPv6 WAN address that will be different from the /64 block of addresses assigned to you. On the LAN side the CPE will issue global IPv6 addresses to the network equipment in your home (using either SLAAC or DHCPv6 or a combination of both). Similar to the firewall in a IPv4 NAT router, the firewall in such a CPE is going to be part of the internal router. Even without NAT, these firewalls are most likely going to be statefull firewalls meaning that they keep track of all requests made from hosts on the internal network and only permit responses back in that relate to those requests. The only real difference is that the CPE won't have to change the IP addresses within the packets moving through it. Adding custom rules that apply to all your equipment in the home should be easy since all will have the same 64 bit address prefix.
annoyingrob
join:2007-03-27
Calgary, AB

annoyingrob to ipv6nat

Member

to ipv6nat
said by ipv6nat:

The problem isn't the nat but how do I share connection behind a firewall. Its firewall and computers behind it. But since ipv6 has no nat, correct? I can't. I know there are plenty of IPs, more than. But I can't protect my network or share connection behind it, behind the

Yes you can. Unfortunately these days firewalls and NAT are used interchangeably. A firewall is known to most people as "That box that allows multiple computers to connect to a single internet connection". That's not the case. A firewall is simply a device that monitors the traffic and decides whether it should let it through, or block it.

There's nothing wrong with having say 20 devices in your house with unique IP addresses all connecting into your router/firewall, and connecting to the internet. The only difference is that instead of having a single external address, and a whole bunch of internal IP addresses, every computer has it's own external IP address, and there is no such thing as an internal IP address anymore.

It's pretty easy to set the firewall up in these situations with something like "ignore incoming connections that weren't initiated from within", and suddenly your security is back up to what it was with just NAT
ipv6nat
join:2011-02-19

ipv6nat

Member

Yes but I'm talking about sharing through a firewall. I can't put a/the same firewall on each machine performing the same type of action.

About the second paragraph, I only mean dedicated linux firewalls, not nat routers/modems. But even so, as you said, the physical firewall separating those two networks. How could you write that in lets say ip6tables.

And about the last part, I guess you still mean that the machines will be connected directly to internet. Even if they get separate ip addresses or so.
Even the routers/modems/firewalls you describe do some nat, so it has to do it somehow. Otherwise it is only, 1 modem and 1 machine, right?
druber
join:2000-04-11
Stow, MA

druber

Member

You aren't getting it. Each machine has a unique, publically routable IPv6 address. The firewall would sit between all of them and the internet. This is exactly what is done when a site has a routable subnet - they still have a firewall protect the whole site.

dslcreature
Premium Member
join:2010-07-10
Seattle, WA

dslcreature to ipv6nat

Premium Member

to ipv6nat
said by ipv6nat:

HI,

I have a question concerning to internet sharing behind a firewall.

How could you do this if ipv6 doesn't support nat?

There are some kernel patches to do full cone (stateless) NAT however restricted (IP sharing) is thankfully not likely to be available anytime soon. I believe netfilter folks have been quoted as saying "over my dead body"...

All a firewall does is apply policy and logging for data moving between the Internet and hosts on your network.

In the IPv6 universe each host on your network gets a globally unique, globally routable address in addition or instead of an internal address. The firewall just sits in the middle and makes judgements on data moving between Internet and the host without rewriting or otherwise mangling packets (NAT) in the process.

Linux ip6tables supports stateful packet filtering for IPv6 so you get the same "security" properties as IPv4 NAT.
ipv6nat
join:2011-02-19

ipv6nat

Member

Alright. So lets say I have 10 machines and get/have 10 unique global ipv6 addresses.

How would I route it through 1 firewall machine to each of those computers behind with ip6tables?

With iptables4 I would use "-t nat --eth0 out" and "--eth1 in" (basically), this is why I ask.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

Two possibilities:

1.) CPE is configured as bridge and connected to eth1 on the Linux firewall machine. Eth1 is configured with the WAN IP address and eth0 is configured with one of the IP addresses from the /64 block assigned to you by your ISP. You run radvd (configured for eth0) to advertise IPv6 routing capability and the /64 prefix to your internal machines.
The 10 internal machines are connected to the same switch as eth0 on the Linux firewall machine. You turn on IPv6 forwarding to enable routing on the Linux firewall machine. The default chains in ip6tables are the same as in iptables for IPv4: INPUT controls packets coming through any interface and are destined for the firewall machine itself. OUTPUT controls packets generated on the firewall machine and leaving through any interface. FORWARD controls packets that are being routed through the firewall machine (e.g.: from eth0 to eth1 or vice versa).

2.) The CPE is already performing the routing (and perhaps even firewall) but you want to use a Linux firewall machine for additional security. Again the physical setup is the same with the CPE connected to eth1 on the Linux firewall machine. Also again the 10 internal machines are connected to the same switch as eth0 on the Linux firewall machine. However this time the Linux firewall machine will not be a router since that function is already performed by the CPE. You do not assign any addresses to eth0 or eth1, instead you create a bridge group br0 and assign eth0 and eth1 as members to that bridge group. In order to use the Linux machine as a firewall you need to use ebtables (Ethernet Bridge Tables) which allows filtering at the Ethernet Frame level instead of the IP Packet level. However since you really want to filter IP packets you would also load the br-nf module (Bridge-Netfilter) which causes bridged IP packets to pass through the iptables chains. At this point you have a fully functional transparent firewall that is so secure that you can't access it from the network (remember that we didn't give it any IP address yet). You could give it one more network card (eth2) for out-of-band management access but you also can use the br0 interface and assign it an IP address (the physical interfaces that are members of a bridge group should not be given IP addresses).
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to ipv6nat

Premium Member

to ipv6nat
Stop thinking about NAT. IPv6 does away with it. That means firewalls will do what firewalls are meant to do... inspect and filter traffic.

In the NAT filled IPv4 world today, you have a private, non-routed, internal network where all your machines are. 192.168.1.0/24. NAT allows those 256 addresses to appear to be one (or more) public, routed, IPv4 addresses. Your firewall doesn't have to be explicitly configured for anything more than "NAT". NAT tells it what to track. (in: allow established or related, out: allow all)

IPv6 does away with that "mess". Your network(s) now have public, routed addresses. AAAA:BBBB:CCCC:DDDD::/64. Your firewall has to be explicitly configured to allow/block specific traffic. What used to be handled automatically by connection tracking, has to be setup by hand.

I don't know the required commands for iptables. With Cisco IOS it's rather simple... outbound: "permit any any reflect out-mirror" inbound: "evaluate out-mirror, deny any any" (over simplified)
druber
join:2000-04-11
Stow, MA

druber to ipv6nat

Member

to ipv6nat
Again, think of how you would do this with a routable IPv4 subnet. You assign addresses in that subnet to hosts on your LAN, one of which is the gateway/firewall, and is the default gateway for those hosts. The gateway/firewall has a WAN IPv4 address in a different subnet. The ISP routes the LAN subnet to the WAN address of the gateway. This has been around for 20+ years. IPv6 would work the same way. Does that make more sense?

dahan
join:2000-10-25
Leander, TX

dahan to ipv6nat

Member

to ipv6nat
You don't use iptables at all, you use the routing tables. But if you're running radvd on the router, you don't have to do anything special on the 10 machines behind the router; just make sure autoconfiguration is on, and they'll 1) get an IPv6 address assigned automatically, and 2) set up their routing tables to route through the router.

The only thing you need to do with ip6tables is to block incoming connection requests and add rules to open certain ports on certain machines if needed. See an iptables (or ip6tables) tutorial for details.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

1 edit

rchandra to ipv6nat

Premium Member

to ipv6nat
First of all, to quote Morpheus:
Free your mind.
As others have posted, discard entirely any notion of even the need for NAT. I'm also not quite so sure why you think automatically it's a bad idea to connect a host to the Internet. Even the bane of computing, Windows, is relatively good-to-go if kept up-to-date and the firewalling service is running. Now, let's get down to brass tacks.

What you will find most useful on Linux routers and their derivatives (such as Tomato, DD-WRT, etc.) is the state match, in particular the ESTABLISHED and RELATED states. Let's assume your Internet-facing interface is called "v6tun" and your inward-facing interface is "lan0". One of the first rules you want up front in the FORWARD chain is --in-interface v6tun --out-interface lan0 and matching those two states with a --jump ACCEPT. Likewise, with --in-inter v6tun --out-inter lan0 --proto tcp, you would want to see if just the SYN bit is set, and if so, --jump DROP or --jump REJECT as you think appropriate; this would represent outside hosts trying to establish a TCP connection. But before that, you would want to have some rules which --jump ACCEPT for services you want to be reached inside, such as perhaps BitTorrent or ESMTP (the latter being --in-inter v6tun --out-inter lan0 --proto tcp --dport 25 --jump ACCEPT However, you may wish to qualify that as well by testing the --dest address so that only the host accepting ESMTP will get that traffic).

It will also probably be helpful to allow ICMPv6 through, for neighbor discovery, router solicitations, echo request/reply, etc. You would also probably want to suppress any outgoing packets whose source address is not in your subnet.

So to summarize:

  1. block Martians (packets whose source address is not from your subnet),

  2. let through ICMPv6,

  3. let through protocols you know will be used (and in the case of TCP and UDP, the "port number" in that protocol),

  4. let through established or related packets,

  5. block inbound TCP connection establishments attempts (only the SYN bit set)

  6. let through packets from the inside to the outside (--in-inter lan0 --out-inter v6tun),

  7. block all else.

Blocking everything else can be accomplished by setting the policy for the FORWARD chain to DROP.

Comments/corrections welcomed.

I use a modified version of this on one of my inside hosts to prevent everything except ICMPv6, ident (for IRC), and email. It's also worth considering defense in depth, and putting some firewalling on ALL hosts. It's just usually easier to do that once and in one place: on a firewall machine. For the majority of home networks, firewalling on all hosts would be the most secure but generally overkill.
ipv6nat
join:2011-02-19

ipv6nat

Member

Ok so, dahan, can you type up a functional working script which does that on the firewall machine?
I'm not gonna use the router as some sort of firewall.

And rchandra, what you described is how you use POSTROUTING and PREROUTING incombination with a nat table, which isn't available. You can't route FORWARD --in-interface and --out-interface, that is not how you use FORWARD. Thats POSTROUTING and PREROUTING.

Unless of course you can type up or show a working script to prove that it works. Like you said you use.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

said by ipv6nat:

And rchandra, what you described is how you use POSTROUTING and PREROUTING incombination with a nat table, which isn't available. You can't route FORWARD --in-interface and --out-interface, that is not how you use FORWARD. Thats POSTROUTING and PREROUTING.

rchandra See Profile is right.

The PREROUTING and POSTROUTING chains are only applicable to the NAT table. Without NAT you don't even have those chains.
For normal (non-nat) routing, the FORWARD chain is the correct place for firewall filters.
ipv6nat
join:2011-02-19

ipv6nat

Member

Alright. Than its waiting for rchandra to show us the script. If you don't mind.

dahan
join:2000-10-25
Leander, TX

dahan to ipv6nat

Member

to ipv6nat
said by ipv6nat:

Ok so, dahan, can you type up a functional working script which does that on the firewall machine?
I'm not gonna use the router as some sort of firewall.

I'm not clear on how you're planning on setting up your network... you're saying you want two separate machines, one doing the routing and one acting as the firewall? That's an odd way of setting things up, and I don't have a script at hand that does that. It can certainly be done though...

Why do you want to set it up that way?
annoyingrob
join:2007-03-27
Calgary, AB

1 recommendation

annoyingrob to ipv6nat

Member

to ipv6nat
Here's my ip6tables. Firewall rules are easy, you just need to supply a blanket rule for your whole prefix.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#Allow internal traffic
-A INPUT -s 2001:470:xxxx:xxxx::/64 -j ACCEPT
 
#Allow SSH, WWW, and Gnutella from outside
-A INPUT -i he-ipv6 -p tcp -m multiport --dports 22,80,27185 -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#Allow outgoing connections from network
-A FORWARD -s 2001:470:xxxx:xxxx::/64 -j ACCEPT
 
#Allow internal machines to be pinged
-A FORWARD -p icmpv6 -j ACCEPT 
#-A FORWARD -p tcp -m multiport --dports 22 -j ACCEPT
 
#Allow non-reserved connections into network
#-A FORWARD -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
 
COMMIT
 
ipv6nat
join:2011-02-19

ipv6nat

Member

I'm not clear on how you're planning on setting up your network... you're saying you want two separate machines, one doing the routing and one acting as the firewall? That's an odd way of setting things up, and I don't have a script at hand that does that. It can certainly be done though...

Why do you want to set it up that way?

No no, I want one machine setup as a firewall and just have the normal computers behind it as you would with ipv4 nat.

ncherry
Premium Member
join:2003-07-13
Monroe Township, NJ

ncherry

Premium Member

Her wants something like this:


AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss

Premium Member

The part which has been said, but I don't think has clicked yet is that it is no different than routing a normal IPv4 address block.

ncherry
Premium Member
join:2003-07-13
Monroe Township, NJ

ncherry

Premium Member

???

The same could be said of Novell's IPX.

Let's face it engineers take the best of what we've learned and apply to the new. Problem is that we don't always 'reinvent' the old well enough to fix old problem or in fixing the problems of the past we break new things.

We're going forward with IPv6, we're at the point where we have no choice.

dahan
join:2000-10-25
Leander, TX

dahan to ipv6nat

Member

to ipv6nat
said by ipv6nat:

No no, I want one machine setup as a firewall and just have the normal computers behind it as you would with ipv4 nat.

Ah, OK... you had said in an earlier message, "I'm not gonna use the router as some sort of firewall," which confused me.

So if you're using a single machine running Linux as both your router and firewall, first set up your IPv6 tunnel (e.g., if using tunnelbroker.net, the sample script they give is:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.218.224.42 local 1.2.3.4 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1234:1234::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
 

Then for the firewall rules, see annoyingrob's post at »Re: [ipv6] IPv6 nat

And finally, for the routing part, enable packet forwarding (e.g., sysctl -w net.ipv6.conf.all.forwarding=1). Assign your router's internal LAN interface (say eth1) a static IPv6 address (e.g., 2001:470:4321:4321::1). Then to get the Linux box to advertise IPv6 addresses and routes, install radvd, and in /etc/radvd.conf:

interface eth1
{
   AdvSendAdvert on;
   prefix 2001:470:4321:4321::/64
   {
   };
};
 

ncherry
Premium Member
join:2003-07-13
Monroe Township, NJ

ncherry

Premium Member

IPv6NAT, I think you need this:

interface eth1
{
   AdvSendAdvert on;
   prefix 2001:470:4321:4321::/64
   {
   };
   route ::/0
   {
   };
};
 
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss to ncherry

Premium Member

to ncherry
said by ncherry:

???
The same could be said of Novell's IPX.

Conceptually, sure, its routing - but in this specific thread, no, the routing and the "firewalling" of an IPv6 block is almost the same as an IPv4 block was my point.

I'm all for moving forward; NAT is a abomination that needs to simply stop - soon.

dahan
join:2000-10-25
Leander, TX

dahan to ncherry

Member

to ncherry
Does the addition of the "route ::/0" section actually do anything? The documentation isn't very specific, but it says that "route" is "used to advertise more specific routes", which seems to imply that the default route is already advertised by default. In any case, I don't have that in my radvd.conf, and things work fine. Also, none of the examples/HOWTOs I found online include it.
ipv6nat
join:2011-02-19

ipv6nat

Member

quote:
Ah, OK... you had said in an earlier message, "I'm not gonna use the router as some sort of firewall," which confused me.

No, I meant not using the modem/router as a firewall.

I will soon try the script. But how do I port forward? I guess it will be the same routing to ip address and opening or allowing the specific port for it?
I don't want to open 1 port and that would equal to opening it for all machines. I looked through some stuff on the internet on it.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

said by ipv6nat:

But how do I port forward? I guess it will be the same routing to ip address and opening or allowing the specific port for it?
I don't want to open 1 port and that would equal to opening it for all machines. I looked through some stuff on the internet on it.

Port forwarding is typically done with a NAT firewall. You can still do it without NAT but it isn't necessary and makes it more complicated. If you want to do port forwarding you would setup the firewall rule to open this one port for the IP address associated with the firewall server. You then either use a userland application such as rinetd or mangle/rewrite firewall rules to get the request from the firewall server to the target server on the LAN and vice versa. The only reason I know why someone might do port forwarding when they don't have to is to hide the fact that there are any internal servers (all requests are addressed to the firewall server and all responses appear to come from it).

The equivalent behavior is normally achieved with pin-holing: a firewall rule that will permit access to one specific port at one specific IP address on your LAN. It avoids the need for either rinetd or firewall based manipulation of the packet headers. It is easier to setup and performance is better too.
ipv6nat
join:2011-02-19

ipv6nat

Member

Well its obvious, if I don't than none of the machines behind it can be accessed. Like a webserver, fileserver or mailserver or something equivalent.