Re: [Shorewall-users] NPTv6

Tom Eastep Sat, 07 Jan 2017 09:17:24 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/07/2017 08:35 AM, Luke Jordan wrote:
> Am 26.12.2016 um 22:44 schrieb Tom Eastep:
>> 
>> My personal approach to multiple IPv6 providers is to assign my
>> local networks prefixes delegated from one of my provider's
>> routers and simply use SNAT when sending traffic out of the other
>> provider. That is stateful and supports problem protocols like
>> FTP.
> 
> can you give me an configuration example for this?


I have two providers, IPv6Beta and HE.

/etc/shorewall6/shorewall6.conf:

USE_DEFAULT_RT=Yes

/etc/shorewall6/providers:

IPv6Beta 1 0x100 -     eth0   fe80::22e5:2aff:feb7:f2cf\
                                       track,primary,loose,persistent
HE       2 0x200 -     sit1   -        track,fallback,persistent

Most local networks have IPv6 addresses delegated by the router on
eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of eth0)

I have one local network that has addresses routed via sit1
(2001:470:b:227::/64). The IP address of sit1 is 2001:470:a:227::2

/etc/shorewall6/snat:

SNAT(&sit1)     2601:601:8b00:bf0::/60                 sit1
SNAT(&eth0)     2001:470:b:227::/64,2001:470:a:227::2  eth0

When I was running a version of Shorewall that still used the masq
file, the corresponding entries were:

sit1     2601:601:8b00:bf0::/60                  &sit1
IPv6Beta 2001:470:b:227::/64,2001:470:a:227::2   &eth0

/etc/shorewall6/rtrules:

2001:470:B:227::/64     ::/0                    HE              11000
2601:601:8b00:bf0::/60  ::/0                    IPv6Beta        11000

> 
>> In Netfilter, NPT is stateless, so it is a pain to use. There is 
>> therefore no formal support for NPT in Shorewall6 (the 
>> shorewall6-netmap(5) file is no longer usable since the
>> Netfilter rawpost table has been removed). It is possible to
>> configure NTP in shorewall-mangle(5) (assuming that your kernel
>> and ip6tables support the SNPT and DNPT targets) but there is
>> currently no documentation for how to do that.
>> 
>> A brief outline of what is required:
>> 
>> Add SNTP and DNPT as a builtin actions in
>> /etc/shorewall6/actions:
>> 
>> SNPT builtin,mangle,terminating DNPT builtin,mangle,terminating
>> 
>> To configure DNPT in the shorewall6/mangle file:
>> 
>> IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx
>> <prefix/length> ):P ...
>> 
>> and to configure SNPT:
>> 
>> IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs
>> <prefix/length> ):T ...
>> 
>> See iptables-extensions(8) for additional information on SNPT
>> and DNPT. In particular, you must disable connection tracking for
>> the translated flows in shorewall-conntrack(5).
> 
> it doesn't work:
> 
> /etc/shorewall6/mangle: MARK(768):P   eth0            -               tcp     
>         22,47238,52486  #
> ssh traffic by dsl MARK(512):P        eth0            -               -       
>         -               # other traffic by
> cbl
> 
> IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx 
> fdae:fa7:dead:beef::/64 ):P   eth0    -       -       -
> 
> IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx 
> 2001:XXXX:YYYY:100::/64 ):P   eth0    -       -       -
> 
> result:
> 
> Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION
> (IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx
> fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18)
> 
> fdae:fa7:dead:beef::/64 is the local network,
> 2001:XXXX:YYYY:100::/64 the network of a provider.
> 

Did you add DNPT as a nat builtin action in /etc/shorewall6/actions?

- -Tom

- -- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYcSFPAAoJEJbms/JCOk0Qt9IQALYk8mjnfgefLHEkrJUKruFy
J8RVEb2AfsgTeDty2Znkc6i/aYAQLb7KvxbiFMDUSwfAddpwo29ydxjiiUReZ6gl
I54nJVXhm7wpPonzVxEC8LRtLMaRUamSFWEjhP0zWBkf2NH9DZkWUvaBxq8NZD2b
czLvECSD4W0QZA+stlF8c2zYbCEjWUdGWeSDIS2ZpGfSS1Fm54fQzUxevPm+J6Sm
SG2eN7vsi7gg5IupyiToOBq1byVCkFDcDxHatO9f4kysnSRs5SdNIsHDk7yiS1jE
queL2CtEtAl+OGxAWNLyRSfqxJ5qlm6i4oJsOXTylVM+LUhMffwFsBFDfJw3ZHNc
EuDPYSoR7rOUTBz1OQWdNsRlJUy9lCmIQWFzTdI4WKh5bo710JO7DFqZrQnoJmoL
7NRBI5cjZ0CSAiUTnAI3oxhIPO8G/IXQ9H5Zb2Qo1wkCz0Dy2S0CFFGbZyYPktLM
DkMc24QfsN9iIaGu4/uObjSidvsJ8B7Y4gLTnDgkifmdb5gZqZJuKwOdCt2vDQT0
wfzHMV48VjoNJVp9kXUC5xMpR0DHJI/gbJGK03BYH2SOFtv+5/HRKvst0DD88gMJ
xpW6/VFnFbMNz+MIS2jZiVydOzYTLnj0wl19TOGE0FEMe5uDg+pwBaG68eD5Kjno
8J7VZQPWNtvEciS/ZUZO
=+BOo
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] NPTv6

Reply via email to