1. Forum
  2. Fidonet
  3. IPV6

  • A second life for the Linksys, Part 3

    From Michiel van der Vlist@2:280/5555 to All on Tue Aug 6 11:45:51 2019
    From Fidonews Feb 2012:

    A SECOND LIFE FOR THE LINKSYS Part 3
    Drilling holes in the IPv6 Firewall
    By Michiel van der Vlist, 2:280/5555


    Last year I wrote two articles on how to set up an old Linksys WRT54GL
    as a router for IPv6. If you missed it last year's Fidonews 31 and 32,
    you can download them at: http://www.vlist.org/downloads/fidonews/2011/
    And probably from the editor's system as well.

    In these articles I described how to configure the Linksys as the end
    point of a 6in4 tunnel and how to route an Ipv6 subnet to the LAN,
    thereby providing IPv6 connectivity for the machines on the LAN. I also described how to configure the Ipv4 NAT to forward ports to specific
    host. For example for a web server or a binkp server. What the articles
    did not cover is how to do the equivalent for IPv6. I had not figured
    That out myself then. I have now, so here is my report.

    First, forget about what is written on the subject in the OpenWrt wiki.
    The method described there does not work.

    Second, we have to understand that the mechanism for making a server on
    your LAN available to the outside world is different for IPv4 and IPv6.
    In IPv4 all machines on the LAN share one globally routeable IPv4
    address. The LAN is behind a NAT that translates to and from the
    internal IP address on the LAN.

    Without specific instructions the router does not know where to send an unsollicited incoming packet and so it is dropped. A NAT has the side
    effect of acting as a statefull firewall. To make a server available
    one instructs the NAT to forward the port number for the server to the
    internal address of the server.

    In IPv6 there is no NAT. Every machine has - or at least can have - its
    own unique globally routeable IPv6 address. There is no need to tell
    the router where to send an unsollicited incoming packet. It already
    knows because the packet has the unique address of the destination.

    Some say the absence of NAT in IPv6 is a security risk because every
    machine is directly connected to the internet. But that is only true
    for routers that lack a firewall. Technically it is perfectly OK to
    have a router without a firewall. Then one needs to do nothing to
    allow unsollicited incoming packets. each machine on the LAN will
    need its own firewall.

    The version of OpenWrt that this is all about does have an IPv6
    firewall though and by default it is configured to reject all
    unsollicited incoming packets. So we need not worry about machines
    exposed to the internet. Unless of course we make a configuration
    error.

    In IPv6 we are more flexible in what we allow or disallow than in
    IPv4. In IPv4 we forward a specific port to a specific destination.
    Most routers are limited to doing just that. So only protocols that
    use ports can be forwarded. And usually it is limited to tcp and udp.
    It is not possible for example to forward a ping.

    In IPv6 we make an opening in the firewall for a specific destination.
    We can add additional restrictions, such as port numbers or protocols,
    but we need not. So we are not limited to protocols that use port
    numbers as tcp and udp.

    We can also allow ICMP that does not use port numbers.

    Changes to the firewall are made by editing the file
    /etc/config/firewall

    Here is how to make the machine with address 2001:DB8::2462 pingable
    from outside. We ONLY want to make it pingable, no more. So we restrict
    the protocol to ICMP and the type to echo request.

    Add the following lines to /ect/config/firewall:

    [code]

    # Allow ping6ing a specific host on the LAN

    config rule
    option src wan
    option dest lan
    option family ipv6
    option proto icmp
    option icmp_type echo-request
    option dest_ip 2001:DB8::2462
    option target ACCEPT

    [/code]

    If you have an IPv6 connection and want to see it work, you can ping6
    my RIPE Atlas probe at atlas.vlist.eu.

    For a binkp server we only want to allow what is needed to make that
    work, So we restrict to port 24554 and protocol tcp.

    [code]

    # A binkp server on the Fido machine

    config rule
    option src wan
    option dest lan
    option family ipv6
    option src-dport 24554
    option proto tcp
    option dest_ip 2001:DB8::f1d0:2:280:5555
    option target ACCEPT

    [/code]


    Note that changes made to the firewall configuration do not take effect
    until the firewall is restarted. Either by rebooting the router or by
    executing the following command: /etc/init.d/firewall restart


    Enjoy.


    ¸ Michiel van der Vlist, all rights reserved.
    Permission to publish in the FIDONEWS file scho and the FIDONEWS
    discussion echo as originating from 2:2/2

    ---
    * Origin: he.net certified sage (2:280/5555)