A mostly-Linux centric question here, involving firewalls, IPv6 tunnels, and much confusion.
I'm trying to get a firewall up and running that does not interfere with my IPv6 tunnel; I cannot get Shorewall to accept traffic coming from my tunnel, or even to recognise the existence of said tunnel. I may be able to get add my own rules straight in ip6tables, but that would probably be broken down next time I make Shorewall... or would it? I'm growing confused. So, does anyone have a good tutorial for IPv6 firewalling on Linux? (Bonus points if it also explains *what* Shorewall has to do with IPv6, if anything)
What's the state of affairs on my box:
- Linux elyseum 2.6.17-2-k7 #1 SMP Fri Aug 11 20:51:38 UTC 2006 i686 GNU/Linux
- iptables/ip6tables v1.3.6
- shorewall 3.2.4
- ifconfig output:
Click here to view the secret text
×
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2066 errors:0 dropped:0 overruns:0 frame:0
TX packets:2066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:262799 (256.6 KiB) TX bytes:262799 (256.6 KiB)
sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::192.168.1.10/96 Scope:Compat
inet6 addr: ::127.0.0.1/96 Scope:Unknown
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:618:400::575a:dce7/128 Scope:Global
inet6 addr: fe80::c0a8:10a/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr 00:0F:B5:9B:B2:A0
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20f:b5ff:fe9b:b2a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14371 errors:0 dropped:0 overruns:0 frame:0
TX packets:14184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11627238 (11.0 MiB) TX bytes:2321685 (2.2 MiB)
What I want to achieve: a firewall that operates on both IPv4 and IPv6 traffic, and regulates inbound traffic (outbound traffic will probably be "
anything goes"
). Shorewall seems to do the trick for IPv4 and fills all my needs (including redirect from Internet port 80 to local port 8080). IPv6, on the other hand... my naive rules treated sit1 exactly as wlan0, but they don't help out. ping6
www.kame.net results in a nice "
ping: sendmsg: Operation not permitted"
.
What I'm wondering about: Do I even *want* to use IPv6 rules for an IPv6-in-IPv4 tunnel, or should it be straight IPv4? (Which means there would be a problem in my setup elsewhere) Does Shorewall have IPv6-in-IPv4? I know it doesn't in versions 2.X.X, but I was somehow under the impression IPv6 got added in 3.X.X. Then again, if IPv6 is in, why is there a "
DISABLE_IPV6"
option then? (When "
No"
, shorewall is supposed to let all IPv6 through, but it doesn't help in my case; when "
Yes"
, it should set up some ip6tables rules to disable all IPv6 traffic, which is the case on my computer).
What works fine: The IPv6 tunnel worked without a glitch prior to setting up an actual firewall (I can fly without one, since I do have another firewall on the way to my computer, but that's not quite the same). Shorewall's rules for wlan0 also work fine, shutting down all unwanted traffic, redirecting port 80 as expected, and letting me ping the rest of the world. The problem isn't on the end of my IPv6 tunnel broker either.
What I've done before: Read the relevant parts of the Shorewall documentation and googling around, but to no avail. I've also tried other firewalls (say, Firestarter), but they don't seem to have *all* the features I require; so, while Shorewall is pretty much overkill for a personal firewall, it seems to be the program closest to my needs. That, and it should be good practice for the day when I can't stand my ISP's kinky router.
Thanks in advance if you can help me clear up that muddle.