Allowing inbound IPv6 traffic to a host and port when the IPv6 prefix is dynamic?

interfect

12/5/23, 8:30 PM

With IPv4, you used to be able to give a host a static local IP address on the LAN, and use a firewall rule on the firewall/router to forward a port on the (possibly dynamic) Internet-facing IP used by the network to a port on tat particular host, using the host's static LAN IPv4 address as a stable way to identify the host in the firewall rule.

But with IPv6, every host is using real routable Internet IPs, so the incoming traffic for the host will already be addressed to it, and there's no need for NAT. But you still need to be able to write a firewall rule to say that inbound traffic to one particular host and port should be allowed, while traffic to other hosts or ports is blocked.

But if the prefix under which the network assigns IPv6 addresses is dynamic, how would you refer to a particular host in a firewall rule to allow traffic to it? You can't just allow traffic to its IPv6 address, because next week it will have an IPv6 address with a different prefix, because the ISP will have assigned the network a different prefix.

How do you then actually configure a firewall to allow inbound traffic to that host on some port? In ip6tables it looks like there's a --dest option to match by destination, but that only seems to let you put in an entire address and not e.g. a suffix of the address which you can ensure is kept static for a host. From the man page:

       [!] -s, --source address[/mask][,...]
              Source  specification.  Address can be either a network name, a
              hostname, a network IP address (with /mask), or a plain IP  ad‐
              dress. Hostnames will be resolved once only, before the rule is
              submitted to the kernel.  Please note that specifying any  name
              to  be resolved with a remote query such as DNS is a really bad
              idea.  The mask can be either an ipv4 network mask  (for  ipta‐
              bles)  or  a  plain number, specifying the number of 1's at the
              left side of the network mask.  Thus, an iptables mask of 24 is
              equivalent to 255.255.255.0.  A "!" argument before the address
              specification inverts the sense of the address. The flag  --src
              is  an alias for this option.  Multiple addresses can be speci‐
              fied, but this will expand to multiple rules (when adding  with
              -A), or will cause multiple rules to be deleted (with -D).

       [!] -d, --destination address[/mask][,...]
              Destination  specification.   See  the  description  of  the -s
              (source) flag for a detailed description of  the  syntax.   The
              flag --dst is an alias for this option.

Is there a way to handle this with ip6tables? Is there some other layer over ip6tables that is supposed to generate rules that change as the network is renumbered, that everyone is actually using? Is there some kind of ip6tables plugin that can let me match traffic that will go to a particular host even if the network number changes? Do other OS firewalls handle this differently?

823

1 + 4

networking

firewall

iptables

ipv6

Ron Maupin

12/23/23, 10:41 PM

"_But if the prefix under which the network assigns IPv6 addresses is dynamic, how would you refer to a particular host in a firewall rule to allow traffic to it?_" A business ISP connection does not do that. Only residential Internet connections are made that way because the residential contract prohibits serving to the Internet. You simply need to get a commercial Internet connection.

interfect

12/30/23, 2:59 AM

@RonMaupin It wouldn't make any sense to need a commercial Internet connection with a static IP in order to open a hole in a firewall for, say, a multiplayer video game.

Ron Maupin

12/30/23, 3:21 AM

Then you are asking on the wrong SE site. [sf] is for business networking. You ask about residential networking on [su]].

interfect

1/2/24, 9:35 PM

@RonMaupin I think this is the right SE site; `iptables` and `ip6tables` both seem more commonly discussed here than on SU (they aren't "consumer workstations or networking"). DHCP and DHCPv6-PD conversely aren't *exclusively* consumer-only technologies. Comcast sells static IPv6 (and IPv4) addresses as an add-on to their business Internet product: https://forums.businesshelp.comcast.com/conversations/ipv6/how-static-is-the-ipv6-prefix-delegation/5fe0a62bc5375f08cd95f1ac?commentId=5fe0a63ac5375f08cd986010, and if you don't buy that, they can change the prefix on you.

Score:2

Server

Florian Bach

12/23/23, 10:08 PM

ip6tables accepts a bitmask for the address. Unlike with iptables and IPv4, these bits don't necessarily all have to be at the beginning of the address, so something like this should work fine:

ip6tables -A INPUT -d ::1234:56ff:fe78:90ab/::ffff:ffff:ffff:ffff -j ACCEPT

That would make ip6tables accept all packets going to an IPv6 address that ends in ::1234:56ff:fe78:90ab, no matter the prefix.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allowing inbound IPv6 traffic to a host and port when the IPv6 prefix is dynamic?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.