Glad to hear!
On Wed, Jul 24, 2024 at 3:55 AM Simon McFarlane <[email protected]> wrote: > > Thank you Alberto! I didn't realise it was necessary to have that 2nd EAMT > entry to translate the IPv6 glue space (fd00:AAAA:: in your example). All > working great now. > > Thanks, > Simon > > On 23/07/2024 08:09, Alberto Leiva wrote: > > Hi > > > > Scripts here: > > https://www.dropbox.com/scl/fo/x5c3tg16ai3p490ayeh1f/AP_bEGFgW_ElwE3q-2jhhVo?rlkey=2733ikdn7o9fesia4gf4g52fg&st=dwxqx8b4&dl=0 > > > > Read network.md. It has an overview. > > Then start with setup.sh; run it in your translator. > > It should unlock the "pings from global to itself" (from network.md) > > > > Then run cleanup.sh. > > You'll have to decomment the two ip addresses from setup.sh, but > > you'll also have to adjust the addresses in accordance to your > > network. > > Run setup.sh again, then adjust and run n6.sh in the (remote) IPv6 > > peer, and n4.sh in the (remote) IPv4 peer. > > That'll unlock the other pings. > > > > Then do your firewalling in global. > > > > On Sun, Jul 21, 2024 at 12:53 AM Simon McFarlane via Jool-list > > <[email protected]> wrote: > >> > >> Hi all, > >> > >> I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC > >> configuration to route IPv4 traffic to an IPv6-only network of servers. > >> From the servers' perspective, incoming IPv4 traffic appears to arrive > >> from the pool6 prefix. Native IPv6 traffic flows as normal. Everything > >> works great here. > >> > >> The trouble arises when trying to add a stateful firewall into the > >> configuration. I'd like to allow incoming (internet->server) connections, > >> but block outgoing (server->internet) connections. This is accomplished > >> pretty easily for native IPv6 traffic by just adding a rule like "ip6 > >> saddr <server_network> ct state new drop" to the forward chain on the > >> router. > >> > >> However, as the Jool documentation says, packets translated by Jool skip > >> the forward chain. It suggests trying to filter on mangle, or to > >> encapsulate Jool in a namespace. Regarding the latter, I've taken a look > >> at some examples, but all the ones I've found relate to running NAT64 > >> (requiring masquerades and such), and I haven't quite been able to figure > >> out how to adapt this to SIIT. As for the former, I came pretty close by > >> adding a similar rule as above to the prerouting chain instead of the > >> forward chain, but somewhat expectedly this doesn't work quite as intended. > >> > >> (Outgoing connections are blocked, and incoming connections can be > >> established, but once established, TCP traffic only flows one way, from > >> client to server. I can make an HTTP request but the client doesn't > >> receive the server's response.) > >> > >> Does anyone have any advice on implementing stateful nft firewall rules > >> for jool_siit traffic? Any guidance would be much appreciated :) > >> > >> Thanks, > >> Simon > >> _______________________________________________ > >> Jool-list mailing list > >> [email protected] > >> https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
