= Сообщение: 6116 из 7402 ============================================= IPV6 = От : Michiel van der Vlist 2:280/5555 06 Aug 19 11:45:51 Кому : All 06 Aug 19 11:45:51 Тема : A second life for the Linksys, Part 3 FGHI : area://IPV6?msgid=2:280/5555+5d494c53 = Кодировка сообщения определена как: CP850 ================================== ============================================================================== From Fidonews Feb 2012:
� A SECOND LIFE FOR THE LINKSYS Part 3 � Drilling holes in the IPv6 Firewall � By Michiel van der Vlist, 2:280/5555
Last year I wrote two articles on how to set up an old Linksys WRT54GL as a router for IPv6. If you missed it last year's Fidonews 31 and 32, you can download them at: http://www.vlist.org/downloads/fidonews/2011/ And probably from the editor's system as well.
In these articles I described how to configure the Linksys as the end point of a 6in4 tunnel and how to route an Ipv6 subnet to the LAN, thereby providing IPv6 connectivity for the machines on the LAN. I also described how to configure the Ipv4 NAT to forward ports to specific host. For example for a web server or a binkp server. What the articles did not cover is how to do the equivalent for IPv6. I had not figured That out myself then. I have now, so here is my report.
First, forget about what is written on the subject in the OpenWrt wiki. The method described there does not work.
Second, we have to understand that the mechanism for making a server on your LAN available to the outside world is different for IPv4 and IPv6. In IPv4 all machines on the LAN share one globally routeable IPv4 address. The LAN is behind a NAT that translates to and from the internal IP address on the LAN.
Without specific instructions the router does not know where to send an unsollicited incoming packet and so it is dropped. A NAT has the side effect of acting as a statefull firewall. To make a server available one instructs the NAT to forward the port number for the server to the internal address of the server.
In IPv6 there is no NAT. Every machine has - or at least can have - its own unique globally routeable IPv6 address. There is no need to tell the router where to send an unsollicited incoming packet. It already knows because the packet has the unique address of the destination.
Some say the absence of NAT in IPv6 is a security risk because every machine is directly connected to the internet. But that is only true for routers that lack a firewall. Technically it is perfectly OK to have a router without a firewall. Then one needs to do nothing to allow unsollicited incoming packets. each machine on the LAN will need its own firewall.
The version of OpenWrt that this is all about does have an IPv6 firewall though and by default it is configured to reject all unsollicited incoming packets. So we need not worry about machines exposed to the internet. Unless of course we make a configuration error.
In IPv6 we are more flexible in what we allow or disallow than in IPv4. In IPv4 we forward a specific port to a specific destination. Most routers are limited to doing just that. So only protocols that use ports can be forwarded. And usually it is limited to tcp and udp. It is not possible for example to forward a ping.
In IPv6 we make an opening in the firewall for a specific destination. We can add additional restrictions, such as port numbers or protocols, but we need not. So we are not limited to protocols that use port numbers as tcp and udp.
We can also allow ICMP that does not use port numbers.
Changes to the firewall are made by editing the file /etc/config/firewall
Here is how to make the machine with address 2001:DB8::2462 pingable from outside. We ONLY want to make it pingable, no more. So we restrict the protocol to ICMP and the type to echo request.
Add the following lines to /ect/config/firewall:
[code]
# Allow ping6ing a specific host on the LAN
config rule � option src wan � option dest lan � option family ipv6 � option proto icmp � option icmp_type echo-request � option dest_ip 2001:DB8::2462 � option target ACCEPT
[/code]
If you have an IPv6 connection and want to see it work, you can ping6 my RIPE Atlas probe at atlas.vlist.eu.
For a binkp server we only want to allow what is needed to make that work, So we restrict to port 24554 and protocol tcp.
[code]
# A binkp server on the Fido machine
config rule � option src wan � option dest lan � option family ipv6 � option src-dport 24554 � option proto tcp � option dest_ip 2001:DB8::f1d0:2:280:5555 � option target ACCEPT
[/code]
Note that changes made to the firewall configuration do not take effect until the firewall is restarted. Either by rebooting the router or by executing the following command: /etc/init.d/firewall restart
