I’m using one machine with openSUSE as a router for IPv4 for many years. Some time ago I tried to add IPv6 and I was not successful. At least it was possible to get from internal network to the outside, but it was not possible to get any traffic from outside to internal servers. After upgrade to to 15.6, it’s not even possible to get from the internal network outside. I’ve created some policy that helped forwarding IPv4 traffic, but it doesn’t seem to affect IPv6.
What would I like to achieve:
Traffic from internal zone is forwarded to external
Traffic from extternal is forwarded to internal for specific addresses and ports
Is this possible with firewalld or do I have to ditch it and create some nftables rules on my own?
wg0 wireguard, also considered internal network, IPv4 only
There is mail server and web server in the internal network, that need to be accessible form the outside, which is done via port forwarding in IPv4, but they should be accessible directly in IPv6.
firewall-cmd --list-all-zones
block
target: %%REJECT%%
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: eth0
sources:
services:
ports: 51820/udp
protocols:
forward: no
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=:toaddr=10.20.0.6
port=443:proto=tcp:toport=:toaddr=10.20.0.6
port=25:proto=tcp:toport=:toaddr=10.20.0.4
port=587:proto=tcp:toport=:toaddr=10.20.0.4
port=993:proto=tcp:toport=:toaddr=10.20.0.4
source-ports:
icmp-blocks:
rich rules:
home
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: eth1 tun0 wg0
sources:
services: dhcp dhcpv6 dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
In 15.5 internal was able to reach internet, but it was not possible to reach internal servers from internet (but ping worked). In 15.6 nothing is forwarded. I’d rather not show IPv6 addresses, if not completely necessary.
When firewall is off, neither IPv4 nor IPv6 is forwarded.
Please, use preformatted text when pasting computer output. Anyway, this is incorrect. The only option to enable IPv6 forwarding is /proc/sys/net/ipv6/conf/all/forwarding. Per-interface forwarding does something different.
So the policy ACCEPT should only have ingress internal and there should be another of external with REJECT and explicitly allowing specific IPv6 addresses and ports?