IPv6 subnet forwarding Shorewall logic inverse #2587

AliveDevil · 2022-09-30T23:31:26Z

AliveDevil
Sep 30, 2022

I setup IPv6 through my VPS (forwarding all of the /64 subnet).
But the Shorewall6 config is wrong for direct routing (ignoring any NAT).

ACCEPT          net             $FW             tcp     80      # OMR openmptcprouter open router 80 port tcp
ACCEPT          net             $FW             tcp     443     # OMR openmptcprouter open router 443 port tcp

But this is wrong if I want external access to a GUA address.
The rules above are then set to the net-fw-table which is referenced in INPUT-chain, not FORWARD-chain, which requires net-fwrd or net-vpn as table.

The correct rule should be:

ACCEPT          net             vpn:abcd::ef             tcp     80      # OMR openmptcprouter open abcd::ef 80 port tcp
ACCEPT          net             vpn:abcd::ef             tcp     443     # OMR openmptcprouter open abcd::ef 443 port tcp

This is the UCI firewall rule for these rules above:

firewall.@rule[20].name='Proxy (HTTP)'
firewall.@rule[20].proto='tcp'
firewall.@rule[20].src='vpn'
firewall.@rule[20].dest='*'
firewall.@rule[20].dest_ip='abcd::ef'
firewall.@rule[20].dest_port='80'
firewall.@rule[20].target='ACCEPT'
firewall.@rule[20].family='ipv6'

Is there something wrong in the Shorewall rules generation? I don't want to use port forwarding, but use real IPv6 routing capabilities with firewall allowed ports through OMR.

//Edit: Changed rule to include dest ip/range without exposing every hosts port.

Answered by AliveDevil

Oct 1, 2022

There might be some logic mismatches here¹.

Compared to the IPv4-case², which handles this differently.

Apart from that there might be additional logic issues how the shorewall config is created, because

comment = comment + ' from ' + dest_ip
net = 'net:' + dest_ip

from dest_ip

Isn't the case for routing, it should be to dest_ip, thus changing net = net: + dest_ip to vpn = vpn: + dest-IP.

View full answer

AliveDevil · 2022-10-01T00:14:44Z

AliveDevil
Oct 1, 2022
Author

There might be some logic mismatches here¹.

Compared to the IPv4-case², which handles this differently.

Apart from that there might be additional logic issues how the shorewall config is created, because

comment = comment + ' from ' + dest_ip
net = 'net:' + dest_ip

from dest_ip

Isn't the case for routing, it should be to dest_ip, thus changing net = net: + dest_ip to vpn = vpn: + dest-IP.

1 reply

Ysurac Oct 1, 2022
Maintainer

Hi, this will be fixed in next VPS script release for the logic error (was fixed for IPv4, not for IPv6...).
You can use custom rule in shorewall, you only need to not set the "# OMR ..." part.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IPv6 subnet forwarding Shorewall logic inverse #2587

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

IPv6 subnet forwarding Shorewall logic inverse #2587

AliveDevil Sep 30, 2022

Footnotes

Replies: 1 comment · 1 reply

AliveDevil Oct 1, 2022 Author

Footnotes

Ysurac Oct 1, 2022 Maintainer

AliveDevil
Sep 30, 2022

Replies: 1 comment 1 reply

AliveDevil
Oct 1, 2022
Author

Ysurac Oct 1, 2022
Maintainer