Hi Scripts here: https://www.dropbox.com/scl/fo/x5c3tg16ai3p490ayeh1f/AP_bEGFgW_ElwE3q-2jhhVo?rlkey=2733ikdn7o9fesia4gf4g52fg&st=dwxqx8b4&dl=0
Read network.md. It has an overview. Then start with setup.sh; run it in your translator. It should unlock the "pings from global to itself" (from network.md) Then run cleanup.sh. You'll have to decomment the two ip addresses from setup.sh, but you'll also have to adjust the addresses in accordance to your network. Run setup.sh again, then adjust and run n6.sh in the (remote) IPv6 peer, and n4.sh in the (remote) IPv4 peer. That'll unlock the other pings. Then do your firewalling in global. On Sun, Jul 21, 2024 at 12:53 AM Simon McFarlane via Jool-list <[email protected]> wrote: > > Hi all, > > I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC > configuration to route IPv4 traffic to an IPv6-only network of servers. From > the servers' perspective, incoming IPv4 traffic appears to arrive from the > pool6 prefix. Native IPv6 traffic flows as normal. Everything works great > here. > > The trouble arises when trying to add a stateful firewall into the > configuration. I'd like to allow incoming (internet->server) connections, but > block outgoing (server->internet) connections. This is accomplished pretty > easily for native IPv6 traffic by just adding a rule like "ip6 saddr > <server_network> ct state new drop" to the forward chain on the router. > > However, as the Jool documentation says, packets translated by Jool skip the > forward chain. It suggests trying to filter on mangle, or to encapsulate Jool > in a namespace. Regarding the latter, I've taken a look at some examples, but > all the ones I've found relate to running NAT64 (requiring masquerades and > such), and I haven't quite been able to figure out how to adapt this to SIIT. > As for the former, I came pretty close by adding a similar rule as above to > the prerouting chain instead of the forward chain, but somewhat expectedly > this doesn't work quite as intended. > > (Outgoing connections are blocked, and incoming connections can be > established, but once established, TCP traffic only flows one way, from > client to server. I can make an HTTP request but the client doesn't receive > the server's response.) > > Does anyone have any advice on implementing stateful nft firewall rules for > jool_siit traffic? Any guidance would be much appreciated :) > > Thanks, > Simon > _______________________________________________ > Jool-list mailing list > [email protected] > https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
