[Jool-list] Firewall in SIIT-DC configuration

[Simon McFarlane]

Hi all,

I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC configuration to route IPv4 traffic to an IPv6-only network of servers. From the servers' perspective, incoming IPv4 traffic appears to arrive from the pool6 prefix. Native IPv6 traffic flows as normal. Everything works great here.

The trouble arises when trying to add a stateful firewall into the configuration. I'd like to allow incoming (internet->server) connections, but block outgoing (server->internet) connections. This is accomplished pretty easily for native IPv6 traffic by just adding a rule like "ip6 saddr <server_network> ct state new drop" to the forward chain on the router.

However, as the Jool documentation says, packets translated by Jool skip the forward chain. It suggests trying to filter on mangle, or to encapsulate Jool in a namespace. Regarding the latter, I've taken a look at some examples, but all the ones I've found relate to running NAT64 (requiring masquerades and such), and I haven't quite been able to figure out how to adapt this to SIIT. As for the former, I came pretty close by adding a similar rule as above to the prerouting chain instead of the forward chain, but somewhat expectedly this doesn't work quite as intended.

(Outgoing connections are blocked, and incoming connections can be established, but once established, TCP traffic only flows one way, from client to server. I can make an HTTP request but the client doesn't receive the server's response.)

Does anyone have any advice on implementing stateful nft firewall rules for jool_siit traffic? Any guidance would be much appreciated :)

Thanks,
Simon