4

I have several networks which are on Comcast's residential network. I need to access those networks from a variety of environments, via an SSH proxy on one of the hosts.

(As it happens I'm using OpenWRT, so a specific solution there would be helpful; but I'm also generally curious how one does this with any Linux or BSD-based edge routing solution.)

With IPv4, this is relatively straightforward: since all my internal IPs are allocated with DHCP, I can simply set up a forwarding rule to move port 22 on the external interface to port 22 on a specific IP.

Since my IPv6 addresses are all allocated with SLAAC, I don't have a static address that I can use in ip6tables-land to forward things.

How can I detect changes to the prefix allocation so that I can establish new iptables rules? Or is there a way to set up a rule which forwards to a particular host based on discovering its IP address from its MAC address or something like that? (These hosts are all on a single segment so multicast and such should work.)

Glyph
  • 251
  • 1
  • 9

2 Answers2

1

I think in your case you can use Dynamic prefix forwarding, my example of rule in /etc/config/firewall:

config rule
    option name 'HTTP-SSH-IPv6-myserver01'
    option src 'wan'
    option proto 'tcp'
    option dest 'lan'
    option dest_ip '::2c18:81a2:3422:f690/-64'
    option dest_port '22 80 443'
    option family 'ipv6'
    option target 'ACCEPT'

which creates iptables rule(s) like this:

-A zone_wan_forward -d ::2c18:81a2:3422:f690/::ffff:ffff:ffff:ffff -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP-IPv6-myserver01" -j zone_lan_dest_ACCEPT

Here is also described the same case: Dynamic IPv6 Subnet & ip6tables.

So it is even more easy than IPv4 — you don't need to configure static IP-addresses at your DHCP server.

P.S.: "DMZ" in title confused me at the first reading of question.

Alexey Vazhnov
  • 549
  • 5
  • 14
1

SLAAC allocated addresses are static (except for temporary address) as long as the prefix is static, and the router knows the prefix.

You have serveral choices:

  • You could open port 22 to all addresses, then you would be able the ssh to all the hosts.
  • Configure the DHCP client on the router to call a script which changes the ip6tables rules.
  • Use the u32 match to match on part of IP address.
  • If the internal interface of the router is a Linux software bridge use ebtables, which can match on TCP ports and Ethernet addresses.
Timothy Baldwin
  • 111
  • 1
  • First and foremost - the whole point here is that the prefix is not, or rather may not be, static. And I definitely don't want SSH accessible on all hosts :-). Also, the router is getting its prefix via router advertisements, not DHCP, so that wouldn't help. I can't find a radvd hook for "prefix changed". Can ebtables inspect IP-level packet information? My impression was that it was all about ethernet-layer stuff. Finally: what's a "u32 match"? – Glyph Jun 16 '14 at 16:54
  • No, your router is obtaining the LAN prefix via DHCP (that's how Comcast distribute them) and advertising it using router advertisements. – Timothy Baldwin Jun 16 '14 at 17:41
  • That's interesting; I do have a dhcp6 client running, which I wasn't aware of. I don't see any log messages pertaining to getting a prefix though… so it sounds like the best option would be to add the DHCP client configuration. Could you expand your answer to include some specifics on that? (Particularly I find writing rules to fit in with OpenWRT's somewhat complex existing firewall tricky.) – Glyph Jun 18 '14 at 00:04