Iptables – How to set up an IPv6 DMZ with iptables without a static allocation

firewalliptablesipv6openwrtrouting

I have several networks which are on Comcast's residential network. I need to access those networks from a variety of environments, via an SSH proxy on one of the hosts.

(As it happens I'm using OpenWRT, so a specific solution there would be helpful; but I'm also generally curious how one does this with any Linux or BSD-based edge routing solution.)

With IPv4, this is relatively straightforward: since all my internal IPs are allocated with DHCP, I can simply set up a forwarding rule to move port 22 on the external interface to port 22 on a specific IP.

Since my IPv6 addresses are all allocated with SLAAC, I don't have a static address that I can use in ip6tables-land to forward things.

How can I detect changes to the prefix allocation so that I can establish new iptables rules? Or is there a way to set up a rule which forwards to a particular host based on discovering its IP address from its MAC address or something like that? (These hosts are all on a single segment so multicast and such should work.)

Best Answer

I think in your case you can use Dynamic prefix forwarding, my example of rule in /etc/config/firewall:

config rule
    option name 'HTTP-SSH-IPv6-myserver01'
    option src 'wan'
    option proto 'tcp'
    option dest 'lan'
    option dest_ip '::2c18:81a2:3422:f690/-64'
    option dest_port '22 80 443'
    option family 'ipv6'
    option target 'ACCEPT'

which creates iptables rule(s) like this:

-A zone_wan_forward -d ::2c18:81a2:3422:f690/::ffff:ffff:ffff:ffff -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP-IPv6-myserver01" -j zone_lan_dest_ACCEPT

Here is also described the same case: Dynamic IPv6 Subnet & ip6tables.

So it is even more easy than IPv4 — you don't need to configure static IP-addresses at your DHCP server.

P.S.: "DMZ" in title confused me at the first reading of question.

Related Topic