Redirect port 80 and 443 in IPv6

I want to open the port 80 and 443 in IPv6 to my local device. I have followed the previous instruction but not working. Is there anything I missed?
firewall.nat6:

ip6tables -I INPUT -p tcp --dport 8123 -j ACCEPT
ip6tables -I INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -I INPUT -p tcp --dport 443 -j ACCEPT

ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 8123 -j DNAT --to-destination [ddb8:e751:40c6::50]:8123
ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 80 -j DNAT --to-destination [ddb8:e751:40c6::50]:80
ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 443 -j DNAT --to-destination [ddb8:e751:40c6::50]:443

ip6tables -t filter -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT

ip6tables-save:

# Generated by ip6tables-save v1.8.3 on Wed Jun 23 12:32:57 2021
*raw
:PREROUTING ACCEPT [15162:3944122]
:OUTPUT ACCEPT [755:81408]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
-A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
-A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
-A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
-A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Jun 23 12:32:57 2021
# Generated by ip6tables-save v1.8.3 on Wed Jun 23 12:32:57 2021
*nat
:PREROUTING ACCEPT [719:120730]
:INPUT ACCEPT [279:24555]
:OUTPUT ACCEPT [91:8493]
:POSTROUTING ACCEPT [10:876]
:GL_SPEC_DMZ - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i 3g-modem_1_1_2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o 3g-modem_1_1_2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A prerouting_wan_rule -p tcp -m tcp --dport 8123 -j DNAT --to-destination [ddb8:e751:40c6::50]:8123
-A prerouting_wan_rule -p tcp -m tcp --dport 80 -j DNAT --to-destination [ddb8:e751:40c6::50]:80
-A prerouting_wan_rule -p tcp -m tcp --dport 443 -j DNAT --to-destination [ddb8:e751:40c6::50]:443
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Jun 23 12:32:57 2021
# Generated by ip6tables-save v1.8.3 on Wed Jun 23 12:32:57 2021
*mangle
:PREROUTING ACCEPT [15162:3944122]
:INPUT ACCEPT [738:64573]
:FORWARD ACCEPT [14095:3803512]
:OUTPUT ACCEPT [755:81408]
:POSTROUTING ACCEPT [14778:3880480]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 3g-modem_1_1_2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i 3g-modem_1_1_2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Jun 23 12:32:57 2021
# Generated by ip6tables-save v1.8.3 on Wed Jun 23 12:32:57 2021
*filter
:INPUT ACCEPT [35:2390]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8123 -j ACCEPT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i 3g-modem_1_1_2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i 3g-modem_1_1_2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o 3g-modem_1_1_2 -m comment --comment "!fw3" -j zone_wan_output
-A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o 3g-modem_1_1_2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o 3g-modem_1_1_2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[9]" -j DROP
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_src_ACCEPT -i 3g-modem_1_1_2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

Ideally you shoudn't be needing to do NAT. Your devices will have a public address and you only need to open the ports to this addresses. If you have a domain name, just make sure you point it to the IPv6 public address, and you are all good to go. That's how I do it, no NAT.

2 Likes

Because I connect to the internet through a telephone sim card. The router can get only one IPv6 address, so I have to do NAT.
It's successful as I do it on port 8123, but exactly the same setting can't work on port 80 and 443.
I have no idea what to do next.

Can you confirm that any traffic is getting to your port 80 or 443 at all in the WAN interface? Might your ISP be blocking it?

Can you try to be explicit about the MASQUERADE rule, it should not be necessary but give it a go, like this, I did that when I was redirecting my outgoing traffic to "unknown" DNS servers.

ip6tables -t nat -A zone_wan_postrouting -d fd57:11da:b11c::1 -p tcp --dport 53 -j MASQUERADE

1 Like

It's not working.
According to the link:
dest_ip="::23/-64"
Should I change the destination ip address? I'm not sure "::23/-64" means.
Last time I ask you give me the link of port forwarding and it works.

Why it can't work on port 80 and 443?

I do have a MASQUERADE rule, but the setting is different from yours.

ip6tables -I INPUT -p tcp --dport 8123 -j ACCEPT
ip6tables -I INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -I INPUT -p tcp --dport 443 -j ACCEPT

ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 8123 -j DNAT --to-destination [ddb8:e751:40c6::50]:8123
ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 80 -j DNAT --to-destination [ddb8:e751:40c6::50]:80
ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 443 -j DNAT --to-destination [ddb8:e751:40c6::50]:443

ip6tables -t filter -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -t nat -A postrouting_wan_rule -s ddb8:e751:40c6::/48 -j MASQUERADE

Should it be source or destination? I am not sure how to use MASQUERADE rules.
As for the port, cause I am using a sim card which only provide me a dynamic IPv6 address, I am not sure can they make port open for me. I will check again. For now the port 80 and 443 is not open when I test from IPv6 scanner website.

When I tried to use a MASQUERADE rule with IPv6 which was not an IP, like yours, it did not work. In any case if you were able to confirm that your ISP 80 and 443 ports are not available you can do nothing. If it works for 8123 there is no reason for 80 and 443 to not work other than that.