[Jool-list] Firewall in SIIT-DC configuration

Alberto Leiva ydahhrk at gmail.com
Mon Jul 22 17:09:59 CST 2024 

Hi

Scripts here: https://www.dropbox.com/scl/fo/x5c3tg16ai3p490ayeh1f/AP_bEGFgW_ElwE3q-2jhhVo?rlkey=2733ikdn7o9fesia4gf4g52fg&st=dwxqx8b4&dl=0

Read network.md. It has an overview.
Then start with setup.sh; run it in your translator.
It should unlock the "pings from global to itself" (from network.md)

Then run cleanup.sh.
You'll have to decomment the two ip addresses from setup.sh, but
you'll also have to adjust the addresses in accordance to your
network.
Run setup.sh again, then adjust and run n6.sh in the (remote) IPv6
peer, and n4.sh in the (remote) IPv4 peer.
That'll unlock the other pings.

Then do your firewalling in global.

On Sun, Jul 21, 2024 at 12:53 AM Simon McFarlane via Jool-list
<jool-list at nic.mx> wrote:
>
> Hi all,
>
> I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC configuration to route IPv4 traffic to an IPv6-only network of servers. From the servers' perspective, incoming IPv4 traffic appears to arrive from the pool6 prefix. Native IPv6 traffic flows as normal. Everything works great here.
>
> The trouble arises when trying to add a stateful firewall into the configuration. I'd like to allow incoming (internet->server) connections, but block outgoing (server->internet) connections. This is accomplished pretty easily for native IPv6 traffic by just adding a rule like "ip6 saddr <server_network> ct state new drop" to the forward chain on the router.
>
> However, as the Jool documentation says, packets translated by Jool skip the forward chain. It suggests trying to filter on mangle, or to encapsulate Jool in a namespace. Regarding the latter, I've taken a look at some examples, but all the ones I've found relate to running NAT64 (requiring masquerades and such), and I haven't quite been able to figure out how to adapt this to SIIT. As for the former, I came pretty close by adding a similar rule as above to the prerouting chain instead of the forward chain, but somewhat expectedly this doesn't work quite as intended.
>
> (Outgoing connections are blocked, and incoming connections can be established, but once established, TCP traffic only flows one way, from client to server. I can make an HTTP request but the client doesn't receive the server's response.)
>
> Does anyone have any advice on implementing stateful nft firewall rules for jool_siit traffic? Any guidance would be much appreciated :)
>
> Thanks,
> Simon
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list