ipv6 forward rule after prerouting - Howto

ipv6 forward rule after prerouting - Howto

[Daniel Huhardeaux]

Hello,

I setup prerouting rules with maps like

chain prerouting {
    type nat hook prerouting priority 0; policy accept;
    iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
    if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
    dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
    dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
    ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
    ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
    ct status dnat accept
    }

Default behavior in ip6 filter forward table is to drop. This means that 
my above rules are blocked, I see (u18srv being the machine who will 
forward the traffic to another one):

18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr 
0,nop,wscale 7], length 0 
 

18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr 
0,nop,wscale 7], length 0
18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr 
0,nop,wscale 7], length 0

Now if I change my default value to accept for ip6 filter forward table, 
all is good.

Question: how can I add forward rule to filter table using the existing 
maps which are defined in nat tables ? Other solution ?

I thought that ct status dnat accept was the key to archieve my goal, 
seems not :(

Thanks for any hint

-- 
Daniel
TOOTAi Networks

Re: ipv6 forward rule after prerouting - Howto

[Phil Sutter]

Hi,

On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
> Hello,
> 
> I setup prerouting rules with maps like
> 
> chain prerouting {
>     type nat hook prerouting priority 0; policy accept;
>     iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
>     if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
>     dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
>     dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
>     ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
>     ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
>     ct status dnat accept
>     }
> 
> Default behavior in ip6 filter forward table is to drop. This means that 
> my above rules are blocked, I see (u18srv being the machine who will 
> forward the traffic to another one):
> 
> 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr 
> 0,nop,wscale 7], length 0 
>  
> 
> 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr 
> 0,nop,wscale 7], length 0
> 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq 
> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr 
> 0,nop,wscale 7], length 0
> 
> Now if I change my default value to accept for ip6 filter forward table, 
> all is good.
> 
> Question: how can I add forward rule to filter table using the existing 
> maps which are defined in nat tables ? Other solution ?
> 
> I thought that ct status dnat accept was the key to archieve my goal, 
> seems not :(
> 
> Thanks for any hint

Please be aware that 'accept' verdict will only stop the packet from
traversing the current chain and any later chain may still drop the
packet. Only 'drop' verdict is final in that sense.

So regarding your problem, I guess you have to add the 'ct state' based
accept rule to forward chain to prevent the drop policy to affect the
packet. Your prerouting chain already has an accept policy, so explicit
accepting shouldn't be needed.

Cheers, Phil

Re: ipv6 forward rule after prerouting - Howto

[Daniel Huhardeaux]

Le 06/11/2019 à 19:50, Phil Sutter a écrit :
> Hi,
> 
> On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
>> Hello,
>>
>> I setup prerouting rules with maps like
>>
>> chain prerouting {
>>      type nat hook prerouting priority 0; policy accept;
>>      iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
>>      if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
>>      dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
>>      dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
>>      ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
>>      ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
>>      ct status dnat accept
>>      }
>>
>> Default behavior in ip6 filter forward table is to drop. This means that
>> my above rules are blocked, I see (u18srv being the machine who will
>> forward the traffic to another one):
>>
>> 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr
>> 0,nop,wscale 7], length 0
>>   
>>
>> 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr
>> 0,nop,wscale 7], length 0
>> 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr
>> 0,nop,wscale 7], length 0
>>
>> Now if I change my default value to accept for ip6 filter forward table,
>> all is good.
>>
>> Question: how can I add forward rule to filter table using the existing
>> maps which are defined in nat tables ? Other solution ?
>>
>> I thought that ct status dnat accept was the key to archieve my goal,
>> seems not :(
>>
>> Thanks for any hint
> 
> Please be aware that 'accept' verdict will only stop the packet from
> traversing the current chain and any later chain may still drop the
> packet. Only 'drop' verdict is final in that sense.

This I understood

> 
> So regarding your problem, I guess you have to add the 'ct state' based
> accept rule to forward chain to prevent the drop policy to affect the
> packet. Your prerouting chain already has an accept policy, so explicit
> accepting shouldn't be needed.

I set again the default policy to drop and add the state new to the 
existing established,related ones. It's working too.

What I would like is to authorized state new _only_ for traffic going to 
ip and port which are setted in maps. Feasable ?

BTW, I just discover that my above redirect rules are not working, eg 
redirect port 12345 to port 25 failed with same tcpdump output as above. 
Any idea why ?

-- 
Daniel
TOOTAi Networks

Re: ipv6 forward rule after prerouting - Howto

[Daniel Huhardeaux]

Le 06/11/2019 à 19:50, Phil Sutter a écrit :
> Hi,
> 
> On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
>> Hello,
>>
>> I setup prerouting rules with maps like
>>
>> chain prerouting {
>>      type nat hook prerouting priority 0; policy accept;
>>      iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
>>      if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
>>      dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
>>      dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
>>      ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
>>      ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
>>      ct status dnat accept
>>      }
>>
>> Default behavior in ip6 filter forward table is to drop. This means that
>> my above rules are blocked, I see (u18srv being the machine who will
>> forward the traffic to another one):
>>
>> 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr
>> 0,nop,wscale 7], length 0
>>   
>>
>> 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr
>> 0,nop,wscale 7], length 0
>> 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
>> 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr
>> 0,nop,wscale 7], length 0
>>
>> Now if I change my default value to accept for ip6 filter forward table,
>> all is good.
>>
>> Question: how can I add forward rule to filter table using the existing
>> maps which are defined in nat tables ? Other solution ?
>>
>> I thought that ct status dnat accept was the key to archieve my goal,
>> seems not :(
>>
>> Thanks for any hint
> 
> Please be aware that 'accept' verdict will only stop the packet from
> traversing the current chain and any later chain may still drop the
> packet. Only 'drop' verdict is final in that sense.
> 
> So regarding your problem, I guess you have to add the 'ct state' based
> accept rule to forward chain to prevent the drop policy to affect the
> packet. Your prerouting chain already has an accept policy, so explicit
> accepting shouldn't be needed.

Finally I got it work replacing redirect with dnat like

add rule ip6 nat prerouting ip6 daddr == $addripv6 ip6 nexthdr tcp dnat 
to : tcp dport map @redirect_tcp

Thanks for your help
-- 
TOOTAi Networks