SixXS::Sunset 2017-06-06

ip6tables to forward just single hosts
[de] Shadow Hawkins on Friday, 05 July 2013 12:17:02
I have set up the tunnel on a debian router using heartbeat and everything is fine :). However I am still fighting with ip6tables to match my policy (about 30 boxes behind that router): $JOE boxes aren't allowed to connect to the net directly but have to use proxies or internal services (mail). Some privileged clients and the servers are allowed, though. In IPv4 I used static MAC-IP mapping (DHCP) and allowed forward for those IPs only. Only solution I can think of is to tweak radvd, like: My64Prefix:1234::/80 clients { fe80::Privileged1 fe80::Privileged2 } My64Prefix:5678::/80 clients { fe80::JOE1 fe80::JOE2 } and: ip6tables -A FORWARD -i InternalIF -o sixxs -s My64Prefix:1234::/80 -j ACCEPT Is this possible? Any other ideas? TIA.
ip6tables to forward just single hosts
[ch] Jeroen Massar SixXS Staff on Friday, 05 July 2013 12:27:45
If you still want to restrict hosts in this way, you can always do DHCPv6 to have the exact same setup as you have in IPv4, but But if you have such a strict policy, you might want to consider doing VLANs instead and restricting these hosts on that level, that is what I do for both IPv4 and IPv6. Note that in the above (be that DHCP or anything else) a client can just steal another IP address and presto. This of course all depends on what you are protecting from though, which you did not specify (and is also hard to specify). Btw, a bigger problem with your setup might be the use of /80's, why are you doing that? SLAAC does not work with anything else than a /64.
ip6tables to forward just single hosts
[de] Shadow Hawkins on Friday, 05 July 2013 14:06:56
Jeroen Massar wrote:
Btw, a bigger problem with your setup might be the use of /80's, why are you doing that? SLAAC does not work with anything else than a /64.
I was just thinking of a way to split the /64 I get with my tunnel in any way, to make firewalling easier. /80 was just an idea everything > 64 should do, if SLAAC would work with it and I could separte the hosts that way, FW setup would be rather easy: -P FORWARD -y DROP -A FORWARD -s <MoreThan64Bit>/< >64 > -j ACCEPT However as SLAAC doesn't allow > 64, I should probably use vlans to separate those $JOE hosts that shouldn't connect directly ... THX for you hint.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker