[OpenWrt-Devel] Allowing IPv6 connections to internal hosts/ports with latest firewall scripts?

Tue, 07 Sep 2010 11:16:47 -0700 

Hi, I'm running a very recent trunk build (r22963), and I'm having
trouble getting the IPv6 firewall to open a host/port to connections
from the IPv6 internet to an internal host with a global scope IPv6
address .  I have a henet tunnel (interface 6in4-henet, set up with the
6in4 config), and the relevant (I think) parts of my firewall config
are:

config zone
       option name              wan
       option network                   'wan henet'
       option input                     REJECT
       option output                    ACCEPT 
       option forward                   REJECT
       option masq                              1 
       option mtu_fix                           1

The only forwarding I have is:

config forwarding 
       option src      lan
       option dest     wan

And then I have a rule like:

config rule
       option src wan
       option proto tcp
       option dest_port 22
       option family ipv6
       option target ACCEPT

and also a rule like:

config rule
       option src wan
       option proto tcp
       option dest_ip xxxx:xxxx...  (globally routable ipv6 in my lan)
       option dest_port 587
       option family ipv6
       option target ACCEPT

however attempts to ssh in from the ipv6 internet, or connect to port
587 on my internal mail server via ipv6 are rejected.

I think this is because the above rules are turned into ip6tables rules:

-A zone_wan -p tcp -m tcp --dport 22 -j ACCEPT 
-A zone_wan -d xxxx:xxxx.../128 -p tcp -m tcp ---dport 587 -j ACCEPT

but since the destination of connections needs to be forwarded to
internal hosts and is not on the openwrt router itself, these rules are
never hit since the packets go to the FORWARD chain instead (checking
counters with ip6tables -L -v appears to confirm this) and hit the
default DROP policy instead.  (outgoing IPv6 works fine due to state
tracking of course)

Is there a good way to configure this with current firewall scripts?  I
guess I could add an IPv6-only forwarding section from wan to lan, and
then block everything except the things I want to let through, but this
seems much more complex and error-prone than just being able to say the
two things I want to let through my IPv6 firewall.  (And actually I'm
not sure how to configure dropping forwarded things any more that I can
configure accepting forwarded things!)

Thanks!
  Roland
-- 
Roland Dreier  <[email protected]>  GPG Key: 4096R/B4F83169
Fingerprint:     3779 F472 BB84 DFE1 A650  C304 DDC7 ECFB B4F8 3169
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to