[Jool-list] Firewall in SIIT-DC configuration

Simon McFarlane sm at desu.ne.jp
Wed Jul 24 03:55:27 CST 2024 

Thank you Alberto! I didn't realise it was necessary to have that 2nd EAMT entry to translate the IPv6 glue space (fd00:AAAA:: in your example). All working great now.

Thanks,
Simon

On 23/07/2024 08:09, Alberto Leiva wrote:
> Hi
> 
> Scripts here: https://www.dropbox.com/scl/fo/x5c3tg16ai3p490ayeh1f/AP_bEGFgW_ElwE3q-2jhhVo?rlkey=2733ikdn7o9fesia4gf4g52fg&st=dwxqx8b4&dl=0
> 
> Read network.md. It has an overview.
> Then start with setup.sh; run it in your translator.
> It should unlock the "pings from global to itself" (from network.md)
> 
> Then run cleanup.sh.
> You'll have to decomment the two ip addresses from setup.sh, but
> you'll also have to adjust the addresses in accordance to your
> network.
> Run setup.sh again, then adjust and run n6.sh in the (remote) IPv6
> peer, and n4.sh in the (remote) IPv4 peer.
> That'll unlock the other pings.
> 
> Then do your firewalling in global.
> 
> On Sun, Jul 21, 2024 at 12:53 AM Simon McFarlane via Jool-list
> <jool-list at nic.mx> wrote:
>>
>> Hi all,
>>
>> I'm running jool_siit (in netfilter mode) in a fairly standard SIIT-DC configuration to route IPv4 traffic to an IPv6-only network of servers. From the servers' perspective, incoming IPv4 traffic appears to arrive from the pool6 prefix. Native IPv6 traffic flows as normal. Everything works great here.
>>
>> The trouble arises when trying to add a stateful firewall into the configuration. I'd like to allow incoming (internet->server) connections, but block outgoing (server->internet) connections. This is accomplished pretty easily for native IPv6 traffic by just adding a rule like "ip6 saddr <server_network> ct state new drop" to the forward chain on the router.
>>
>> However, as the Jool documentation says, packets translated by Jool skip the forward chain. It suggests trying to filter on mangle, or to encapsulate Jool in a namespace. Regarding the latter, I've taken a look at some examples, but all the ones I've found relate to running NAT64 (requiring masquerades and such), and I haven't quite been able to figure out how to adapt this to SIIT. As for the former, I came pretty close by adding a similar rule as above to the prerouting chain instead of the forward chain, but somewhat expectedly this doesn't work quite as intended.
>>
>> (Outgoing connections are blocked, and incoming connections can be established, but once established, TCP traffic only flows one way, from client to server. I can make an HTTP request but the client doesn't receive the server's response.)
>>
>> Does anyone have any advice on implementing stateful nft firewall rules for jool_siit traffic? Any guidance would be much appreciated :)
>>
>> Thanks,
>> Simon
>> _______________________________________________
>> Jool-list mailing list
>> Jool-list at nic.mx
>> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list