Fw3 ip6tables variables or dynamic loading related issues

VxBox · September 3, 2021, 9:27am

Environment: ifconfig -a

br-lan:
inet6 addr: 230e:139:5586:520::100:c669/64 Scope:Global
inet6 addr: fe80::2828:3aff:fe89:c669/64 Scope:Link

Want to implement port forwarding on IPv6

ip6tables -t nat -A PREROUTING -p tcp -d ::c669/::ffff --dport 8580 -j DNAT --to-destination fe80::2828:3aff:fe89:c669:80
ip6tables -t nat -A PREROUTING -p tcp -d ::c669/::ffff --dport 8580 -j REDIRECT --to-ports 80

Try the above two commands separately neither succeeds. But using the following command is successful, I don't know why?

ip6tables -t nat -A PREROUTING -p tcp -d ::c669/::ffff --dport 8580 -j DNAT --to-destination [230e:139:5586:520::100:c669]:80

Because the Global Address of br-lan changes, is there any way to dynamically add rules in the form of variables in the /etc/config/firewall file, or can it be done before loading the /etc/firewall.user file What about some alternative preprocessing?

vgaetera · September 3, 2021, 10:42am

The initial command lacks square brackets around the destination IPv6 address.
Another missing part seems to be a permissive rule for IPv6 DNAT:
NAT6 and IPv6 masquerading > Port forwarding

You should use stable ULA addresses for redirects.
On the other hand, you don't really need redirects if you have a GUA prefix:
fw3 IPv6 configuration examples > Dynamic prefix forwarding

VxBox · September 5, 2021, 3:47am

Thank you, but the above methods have failed after testing. The purpose of dynamically creating fw3 rules can be achieved by using variables in the /etc/firewall.user file. But in the end, after testing, it was found that only
ip6tables -t nat -A PREROUTING -p tcp -d ::c669/::ffff --dport 8580 -j DNAT --to-destination [230e:139:5586:520::100: c669]:80.
This rule succeeds because a rule like
ip6tables -I INPUT -p tcp -d ::c669/::ffff --dport 80 -j ACCEPT
was added to the fw3 rules before. After the rule is deleted, the DNAT rule becomes invalid.

VxBox · September 8, 2021, 7:53am

Finally realized IPv6 Port Forwarding by looking up information

Add a DNAT rule like IPv4 DNAT, such as:

ip6tables -t nat -I PREROUTING -d IPV6_ADDRESS_HERE -p tcp --dport 5000 -j DNAT --to-destination [IPV6_ADDRESS_HERE]:22

In the Filter table of any input chain, add an allowed record that allows data packets whose state is in the DNAT state, and pay attention to the order of the records. The reason for the previous failure was that this rule was not written, or the rule was wrong. for example:

ip6tables -I zone_wan_input -m conntrack --ctstate DNAT -j ACCEPT

A forwarding rule may also need to be made. This rule is not necessary in many cases. for example:

ip6tables -A zone_wan_forward -m conntrack --ctstate DNAT -j zone_(ZONE_NAME)_dest_ACCEPT

There are some errors in the official Port Forwarding sample!

vgaetera · September 8, 2021, 8:16am

Pretty sure the chain of the permissive rule should match the traffic destination:

The forward chain for destinations behind the router.
The input chain when the destination is the router itself.

VxBox · September 8, 2021, 8:24am

Port forwarding is also required to the public network, so the sample is not perfect. And the way to add the rule is -A The additional way is easy to appear after the drop rule, and the previous problems appear in these places.

vgaetera · September 8, 2021, 8:33am

You are using the wrong chains.
The proper chain names are listed in the wiki linked above.
They specifically designed for custom rules and have a fixed position.
It makes the custom rules override the rest in the same zone.
This problem is also mentioned in the firewall config.

VxBox · September 8, 2021, 8:58am

The error of the chain is only a few tests of the details, and the problem can be found. The lack of theory is the root of the problem! So it is recommended to improve the sample because most users do not know much about firewalls like me. Regardless of the v4 or v6 era, the need to publish services to the outside world as infrequently used ports is still very large, so I suggest that the v6 port forwarding function can be normalized. For example, it is implemented on Luci and iptables' rule chain.

vgaetera · September 8, 2021, 9:14am

I'm afraid fw3 doesn't support IPv6 NAT, so we can only rely on what we have.
Implementing IPv6 masquerading and port forwarding depends on fw4.

VxBox · September 8, 2021, 9:16am

I didn't mean that!

VxBox · September 8, 2021, 9:26am

It is still necessary for the LAN and the public network to use different ports, whether it is achieved through NAT or other methods.

Because we use different languages, and the translation is not necessarily accurate, it is easy to have different understandings

vgaetera · September 8, 2021, 12:22pm

I've just tried to set up an IPv6 port forwarding as described in the wiki:

Only specified own DUID, IP and port, and it simply works for me.