I am opening the IPv6 port, ip6tables shows, but still I cannot access from outside

patrikx3 · October 21, 2017, 3:33pm

Ciao!

How are you?

My tables are like this: ip6tables -L:

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all      anywhere             anywhere             /* !fw3: user chain for forwarding */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:ldaps
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:domain
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:imaps
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:pop3s
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:ssmtp
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:587
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:smtp
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:https
ACCEPT     tcp      anywhere             2001:470:1f1b:5b3:21b:21ff:fea6:ce93  tcp dpt:www

The code in the firewall custom scripts @ http://192.168.78.1/cgi-bin/luci/admin/network/firewall/custom:

IP_ADDRESS=2001:470:1f1b:5b3:21b:21ff:fea6:ce93
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 80 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 443 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 25 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 587 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 465 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 995 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 993 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 53 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 636 -j ACCEPT

With 17.01.2 it was working, now it is not working. I use opkg install ip-full.

Do you have an idea what it could be?

Thanks,
Patrik

phuque99 · October 22, 2017, 5:36am

OpenWRT and LEDE has its own iptable structure. Rather than inserting your custom rules directly into the main INPUT or FORWARD table, try building them using the UCI configuration. In your case, the first port 80 rule can be added into /etc/config/firewall in the following block:

config rule
	option name 'Webv6 forward'
	option src 'wan6'
	option dest 'lan'
	option dest_ip '2001:470:1f1b:5b3:21b:21ff:fea6:ce93'
	option dest_port '80'
	option proto 'tcp'
	option family 'ipv6'
	option target 'ACCEPT'

This should get your rule properly added into the "zone_wan6_forward" chain.

patrikx3 · October 22, 2017, 2:58pm

Ciao!
How are you!
Wow! It looks easy!
But I got other iptables, would you mind to let me know if I can do it via UCI?

VPN_SUBNET=192.168.17.0/24
IP_ADDRESS=2001:470:1f1b:5b3:21b:21ff:fea6:ce93
WAN_IF="$(ip route get 8.8.8.8 | awk '{print $NF;exit}')"
iptables -t nat -I POSTROUTING -o $WAN_IF -j MASQUERADE

ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 80 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 443 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 25 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 587 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 465 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 995 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 993 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 53 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 34652 -j ACCEPT
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p tcp --dport 636 -j ACCEPT

# pyzor
ip6tables -I FORWARD 3 -d $IP_ADDRESS -p udp --dport 24441 -j ACCEPT

# vpn
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source $VPN_SUBNET -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

phuque99 · October 23, 2017, 11:23am

Yes, the following describes the UCI format used by LEDE so I'm sure you can figure it out:

https://lede-project.org/docs/user-guide/firewall_configuration

Alternatively, my example above will also show up on the Luci firewall page. You can add your rules conveniently via GUI if you prefer.

patrikx3 · October 23, 2017, 4:59pm

But shouldn't be a redirect, but with ipv6?
How would look it with ipv6?

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option name 'HTTP'
        option dest_ip '192.168.78.20'

patrikx3 · October 23, 2017, 5:03pm

I added:

config rule
	option name 'http-ipv6'
	option src 'wan6'
	option dest 'lan'
	option dest_ip '2001:470:1f1b:5b3:21b:21ff:fea6:ce93'
	option dest_port '80'
	option proto 'tcp'
	option family 'ipv6'
	option target 'ACCEPT'

But it's not working

patrikx3 · October 23, 2017, 5:07pm

Also not working:

config redirect
        option target 'DNAT'
        option src 'wan6'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option name 'HTTP-ipv6'
        option dest_ip '2001:470:1f1b:5b3:21b:21ff:fea6:ce93'

patrikx3 · October 23, 2017, 8:04pm

i fixed it with ip6tables and it works, just i connected 2 routers and I had to disable ipv6 on the connected router...

phuque99 · October 24, 2017, 7:35am

Nope, that's the beauty of IPv6; there is no NAT because all devices have public v6 address. Hence you don't use destination NAT redirect.

The v6 firewall rule simply allows incoming traffic into the specific public v6 address.

patrikx3 · October 24, 2017, 7:52am

ciao

how are you?
i think it is not working because with he.net is not native, probably with native, it works, but i added and was not working, it says filtered (not closed, bit still, not working).
i wrote exactly you sent me and even in the lede docs (which is the same).
or maybe i need to install a package?
weird, the rules not working.
bruhuhu.

sincerely,
patrik

phuque99 · October 24, 2017, 8:55am

Hurricane electric tunnel will work fine because it is still considered a public interface, but tunnelled via v4. So you must make sure v4 allows incoming 6in4 tunnelled traffic (protocol 41). You'll have to punch a hole on v4 for HE's tunnel to reach you with this:

config rule
	option name 'Allow HE 6in4'
	option src 'wan'
	option src_ip '80.81.192.172'
	option proto '41'
	option family 'ipv4'
	option target 'ACCEPT'

You exclude source IP line if you change tunnel often, or replace that with the HE tunnel IP that you use.

patrikx3 · October 24, 2017, 9:15am

how are you?
so, isn't missing:

option dest_ip '2001:470:1f1b:5b3:21b:21ff:fea6:ce93'

I need to forward to an ipv6 adddress.

patrikx3 · March 22, 2018, 8:08pm

@phuque99 how are you?
Thanks so much for helping!
It is working now like this

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'ROUTER HTTP'
        option proto 'tcp'
        option dest_port '8888'
        option dest_ip '2001:470:1f1b:5b3::1'
        option family 'ipv6'

But the only problem is that I can use the 8888 port, but actually, on the router I want to forward to the 80 port, given the 80 port is the LUCI. Do you have a setting for it like this:

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'ROUTER HTTP'
        option proto 'tcp'
        option dest_port '8888'
        option dest_ip '2001:470:1f1b:5b3::1'
        option src_port '80'
        option family 'ipv6'

But the src_port is not working, isn't that when I want to receive the port 80 from the wan and accept on tha lan 8888 port?
Or is it reverse???

Thanks, if you any input,

Sincerely,
Patrik

patrikx3 · March 22, 2018, 8:30pm

Besides on the router itself, it is not opening, how come??? So weird, on my client ipv6 it opens the ports but for the router lede is not happening.

mikma · March 22, 2018, 9:25pm

The src_port is the port used by the host on the internet, which means it's an ephemeral port for incoming tcp connections. The dest_port is the port it wants to connect to.

If you want to forward a port, i.e. rewrite the destination IP address and port, then you need to use redirect instead. But I don't understand why you need it since your IPv6 hosts should all have globally routable IPv6 addresses you can use for incoming connections if you want.

(BTW I think you need to install additional packages if you want to use IPv6 redirect, such as ip6tables-mod-nat.)

patrikx3 · March 22, 2018, 10:00pm

well, thanks, but it doesn help me at all.
i have a router ip6 address, 8888, but i want to receive it that ip6 on the 80 not the 8888.
besides lede router ipv6 adress i cannot receive any packets,
for example, my server on via the router, i can use the rules and receive and send packets like smtp, http, https etc..
but for the router ipv6 adress for some reason it is i can unable not even 80 but neither 8888.

i know i dont understand what i am doing about the lede, i use with ip6tables, then i tried with config firewall rules, but on the ip6tables it was the same.
what i am saying is that the router is blocked for some release , both on the router 6in4-wan6 and the br-lan RULES, or ip6tables, just not working at all. i dont know why, i guess you dont no either.

besides, if the router could connect via ipv6 (my clients, my server perfect, awesome), then so if my router could connect on the internet via ipv6, then i would want to do something like rewrite as you said.

i am sure in the next 5 months it will work, just asking.

but thanks anyway!
ciao!
take care

patrikx3 · March 22, 2018, 10:03pm

like this is easy:


config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option name 'HTTP'
        option dest_port '80'
        option dest_ip '192.168.78.20'

and for ip6tables working as well:

ip6tables -I FORWARD 3 -d $SERVER_IP6_BY_DNS -p tcp --dport 80 -j ACCEPT

then i studied a bit about luci and lua etc... so i came up, so it works instead of ip6tables:

config rule
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '2001:470:1f1b:5b5:21b:21ff:fea6:ce92'
        option dest_port '80'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'HTTP IPv6'

AWESOME!

But on the router, I cannot do anything on my router ipv6 address, i dont know,
if you know, please let me know,
thanks.

patrikx3 · March 22, 2018, 10:10pm

neither 6in4-wan6 2001:470:1f1a:5b5:0:0:0:2 (they said :: is not good, use 0:0:0:x) nor br-lan 2001:470:1f1b:5b5::1 is working with the firewall rule or ip6tables (same exact settings, but on the router, for some weird reason not working).

I will look at this ip6tables-mod-nat , but it still not working on my router, only my clients, that's the first problem...
but thanks for the ip6tables-mod-nat, hopefully i will can use it once i can receive data from the router

mikma · March 22, 2018, 11:59pm

If you want to write a rule that matches traffic to the router itself then you should leave out the dest zone.

Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!

https://wiki.openwrt.org/doc/uci/firewall

patrikx3 · March 23, 2018, 7:54am

Ahh, the dest. Ok , testing, thanks so much!