IPv6 Port Redirection

shm0 · April 15, 2020, 2:26am

Hi!
How to redirect a public IPv6 connection to a different port?
For example:
Public Port 443 to Port 1234 on a local machine? (using GUA address)
I got this working somewhat by using a DNAT Rule to redirect the port (443 to 1234).
But this alone doesn't work.
A "Forward Allow" rule is also needed.
But this will open both ports to the public.
Redirecting the ports on the local machine or using a reverse proxy is not an option.
How to properly do this?

trendy · April 15, 2020, 10:19am

ULA or GUA?

A rule to accept port forwards is needed.

shm0 · April 15, 2020, 3:47pm

GUA x) I edited my post

So there is no other way to do this?

trendy · April 15, 2020, 5:27pm

What is wrong with that? You automatically accept the packets which were DNATed in nat table.

shm0 · April 15, 2020, 5:50pm

No it doesn't automatically accept DNATed packets.
When I set up the DNAT rule, 443 - > 1234, no packets go through.
I also have to set up a "forward allow rule" to port 1234 to make packets go through.
The problem with that is, that both ports 443 and 1234 are open to the public.
I only want port 443 to be open to the public.

trendy · April 15, 2020, 6:31pm

Apparently you didn't apply the rule to accept the port forwards.
If you did apply it, does it have hits?
ip6tables -L -vn | grep "ctstate DNAT"

lleachii · April 16, 2020, 1:36pm

If it's a Global Unicast IP, you need a Traffic Forward Allow Rule; not a Port Forward. There's no NAT (unless something isn't noted by the OP). I wanted to be clear, since they're on different tabs.

trendy · April 16, 2020, 1:58pm

Can the traffic forward allow rule change the destination port too?

lleachii · April 16, 2020, 2:43pm

Not sure...but to NAT IPv6, wouldn't a module be needed?

trendy · April 16, 2020, 2:46pm

OP has already done that

shm0 · April 16, 2020, 2:49pm

I think this is the problem.
I will test this later.
I tought the ctstate RELATED rules would be enough.
Thanks trendy.

lantis1008 · April 16, 2020, 2:54pm

Not for IPv6. The related fw3 code does not exist (last I looked).
Manual configuration is needed.

shm0 · April 16, 2020, 4:53pm

adding a "ctstate DNAT" allow rule worked.
Thanks trendy!

trendy · April 16, 2020, 7:14pm

It was more of a rhetorical question, you don't translate in the allow/deny rule, not even in ipv4. But the OP wants to translate the destination port, so a dnat is needed.

Glad you made it! If the issue is solved please mark the topic accordingly!

system · April 26, 2020, 7:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.