Thank you Alberto! I didn't realise it was necessary to have that 2nd EAMT entry to translate the IPv6 glue space (fd00:AAAA:: in your example). All working great now.
Thanks, Simon On 23/07/2024 08:09, Alberto Leiva wrote: > Hi > > Scripts here: > https://www.dropbox.com/scl/fo/x5c3tg16ai3p490ayeh1f/AP_bEGFgW_ElwE3q-2jhhVo?rlkey=2733ikdn7o9fesia4gf4g52fg&st=dwxqx8b4&dl=0 > > Read network.md. It has an overview. > Then start with setup.sh; run it in your translator. > It should unlock the "pings from global to itself" (from network.md) > > Then run cleanup.sh. > You'll have to decomment the two ip addresses from setup.sh, but > you'll also have to adjust the addresses in accordance to your > network. > Run setup.sh again, then adjust and run n6.sh in the (remote) IPv6 > peer, and n4.sh in the (remote) IPv4 peer. > That'll unlock the other pings. > > Then do your firewalling in global. > > On Sun, Jul 21, 2024 at 12:53 AM Simon McFarlane via Jool-list > <[email protected]> wrote: >> >> Hi all, >> >> I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC >> configuration to route IPv4 traffic to an IPv6-only network of servers. From >> the servers' perspective, incoming IPv4 traffic appears to arrive from the >> pool6 prefix. Native IPv6 traffic flows as normal. Everything works great >> here. >> >> The trouble arises when trying to add a stateful firewall into the >> configuration. I'd like to allow incoming (internet->server) connections, >> but block outgoing (server->internet) connections. This is accomplished >> pretty easily for native IPv6 traffic by just adding a rule like "ip6 saddr >> <server_network> ct state new drop" to the forward chain on the router. >> >> However, as the Jool documentation says, packets translated by Jool skip the >> forward chain. It suggests trying to filter on mangle, or to encapsulate >> Jool in a namespace. Regarding the latter, I've taken a look at some >> examples, but all the ones I've found relate to running NAT64 (requiring >> masquerades and such), and I haven't quite been able to figure out how to >> adapt this to SIIT. As for the former, I came pretty close by adding a >> similar rule as above to the prerouting chain instead of the forward chain, >> but somewhat expectedly this doesn't work quite as intended. >> >> (Outgoing connections are blocked, and incoming connections can be >> established, but once established, TCP traffic only flows one way, from >> client to server. I can make an HTTP request but the client doesn't receive >> the server's response.) >> >> Does anyone have any advice on implementing stateful nft firewall rules for >> jool_siit traffic? Any guidance would be much appreciated :) >> >> Thanks, >> Simon >> _______________________________________________ >> Jool-list mailing list >> [email protected] >> https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
