Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Elvir Kuric]

Hi all,

I have an question network/iptables related. In my home network I am
planning to deploy ipv6 addressig, not because I do not ip addresses,
but only as training how to set up
all that. I read some manuals/books and less or more it is not so big
problem. On my home firewall/router I have Debian GNU/Linux with
iptables as firewall tool and it works fantastic :)
I am wondering does someone has experinece with translation from ipv6
---> ipv4, I mean I am going to set up my home computers to use IPv6
but still I have to push my iptables rules ( I know iptable supports
ipv6 ) and
my gateway to packages from ipv6 network prepare for ipv4 network ( my
ISP provider )
Any suggestio is welcome and thank you in advance.

Kind regards ,

Elvir Kuric

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Grant Taylor]

On 10/15/08 15:32, Elvir Kuric wrote:
> I am wondering does someone has experinece with translation from ipv6 
> ---> ipv4, I mean I am going to set up my home computers to use IPv6 
> but still I have to push my iptables rules ( I know iptable supports 
> ipv6 ) and my gateway to packages from ipv6 network prepare for ipv4 
> network ( my ISP provider )

Sorry, I've avoided IPv6 as of yet.

> Any suggestio is welcome and thank you in advance.

Try taking a look at this web page 
http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel-ipv6.addressing.html 
and see if there is any thing helpful there.

I'm not quite sure how IPTables will come in to play with both IPv4 and 
IPv6.  Also, that particular web page only deals with tunneling IPv6, 
not gatewaying it to IPv4.



Grant. . . .

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Elvir Kuric]

Hi,

thank you for mail, actually I know there must me some way to include
an IPv6 island to IPv4.

|------IPv6------|-------| gw/iptables|--------IPv4 (ISP)

I just need a hint how to implement translation on my gateway when I
have on internal interface IPv6 address and on external interface IPv4
address.

Anyway thank you for link I will take a look into it.

Kind regards,

Elvir Kuric

On Wed, Oct 15, 2008 at 10:45 PM, Grant Taylor
<gtaylor@riverviewtech.net> wrote:
> On 10/15/08 15:32, Elvir Kuric wrote:
>>
>> I am wondering does someone has experinece with translation from ipv6 --->
>> ipv4, I mean I am going to set up my home computers to use IPv6 but still I
>> have to push my iptables rules ( I know iptable supports ipv6 ) and my
>> gateway to packages from ipv6 network prepare for ipv4 network ( my ISP
>> provider )
>
> Sorry, I've avoided IPv6 as of yet.
>
>> Any suggestio is welcome and thank you in advance.
>
> Try taking a look at this web page
> http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel-ipv6.addressing.html
> and see if there is any thing helpful there.
>
> I'm not quite sure how IPTables will come in to play with both IPv4 and
> IPv6.  Also, that particular web page only deals with tunneling IPv6, not
> gatewaying it to IPv4.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Amos Jeffries]

> Hi all,
>
> I have an question network/iptables related. In my home network I am
> planning to deploy ipv6 addressig, not because I do not ip addresses,
> but only as training how to set up
> all that. I read some manuals/books and less or more it is not so big
> problem. On my home firewall/router I have Debian GNU/Linux with
> iptables as firewall tool and it works fantastic :)
> I am wondering does someone has experinece with translation from ipv6
> ---> ipv4, I mean I am going to set up my home computers to use IPv6
> but still I have to push my iptables rules ( I know iptable supports
> ipv6 ) and
> my gateway to packages from ipv6 network prepare for ipv4 network ( my
> ISP provider )
> Any suggestio is welcome and thank you in advance.
>

Greetings.
  If you need direct assistance, I've been through this already in a
Debian environment.
 You need to look at dual-stack network with a 6to4 or 6over4 tunnel on
one of the machines. Depending on how close you are to 192.88.99.1 will
determine which works fastest for you. I have a script I can provide when
I return home which does setup of 6to4 tunnels. 6over4 is usually
provided by the tunnel broker you choose.

What OS are your home machines?
and do you have at least one machine Linux 2.6.25+ (newer is better for
IPv6 stability) to use as the IPv4/IPv6 gateway? NP: it does not have to
be the same as IPv4 gateway machine, but that helps :)

Amos Jeffries

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Elvir Kuric]

Greetins :)

no I do not need a direct assistance, I just need a hint about this
transfer from IPv6 network to IPv4 network....and I placed my question
on this mailing list ( I am reading it very often ) because I think
this is
place where are a lot of people network proffesionals.
In network I have only unix/linux ( debian/openbsd ) and all works ok,
and IPv6 is supported by all. Setting ipv6 address to host is not such
a big problem, and just want to make clear, how to connect from ipv6
client thru ipv6/ipv4 gateway to internet....

Kind regards,

Elvir Kuric


On Wed, Oct 15, 2008 at 11:23 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>> Hi all,
>>
>> I have an question network/iptables related. In my home network I am
>> planning to deploy ipv6 addressig, not because I do not ip addresses,
>> but only as training how to set up
>> all that. I read some manuals/books and less or more it is not so big
>> problem. On my home firewall/router I have Debian GNU/Linux with
>> iptables as firewall tool and it works fantastic :)
>> I am wondering does someone has experinece with translation from ipv6
>> ---> ipv4, I mean I am going to set up my home computers to use IPv6
>> but still I have to push my iptables rules ( I know iptable supports
>> ipv6 ) and
>> my gateway to packages from ipv6 network prepare for ipv4 network ( my
>> ISP provider )
>> Any suggestio is welcome and thank you in advance.
>>
>
> Greetings.
>  If you need direct assistance, I've been through this already in a
> Debian environment.
>  You need to look at dual-stack network with a 6to4 or 6over4 tunnel on
> one of the machines. Depending on how close you are to 192.88.99.1 will
> determine which works fastest for you. I have a script I can provide when
> I return home which does setup of 6to4 tunnels. 6over4 is usually
> provided by the tunnel broker you choose.
>
> What OS are your home machines?
> and do you have at least one machine Linux 2.6.25+ (newer is better for
> IPv6 stability) to use as the IPv4/IPv6 gateway? NP: it does not have to
> be the same as IPv4 gateway machine, but that helps :)
>
> Amos Jeffries
>
>

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Petr Pisar]

On 2008-10-15, Elvir Kuric <omasnjak@gmail.com> wrote:
>
> I am wondering does someone has experinece with translation from ipv6
> ---> ipv4

`Translating' is not proper word unless you mean real NAT-PT (Network
address translation and protocol translation).

If you want just to connect your IPv6 island via IPv4 Internet to native IPv6
Internet backbone (i.e. bypass your lazy ISP), use 6to4 (in case you
have public IPv4 address on your gateway) or AYIYA (in other case). This
is called tunneling and former post enlightened it already.

If you want to be able to connect from your IPv6 host to IPv4 only
servers in IPv4 Internet, you have to choices:

Provide to all IPv6 hosts IPv4 connectivity (i.e. dual stack solution),
or do NAT-PT on your gateway.

NAT-PT translates one protocol family into other one. However due to
some differences between these two protocols, the translation is not
seamless (like IPv4 NAPT). Thus there exist few limitations and
different solutions how to achieve it.

I know only about RFC3142 (An IPv6-to-IPv4 Transport Relay Translator)
implementation and it's pTRTd <http://www.litech.org/ptrtd/> and totd
(http://www.vermicelli.pasta.cs.uit.no/software/totd.html). It works
following:

IPv6 only client asks totd name server for AAAA record of IPv4 only
host. The name server provides fake answer resolving to network prefix
routed to pTRTd server. Then your client sends IPv6 TCP or UDP packet to
given fake IPv6 address, the packet recieves pTRTd server (a
userspace daemon capturing packets on TUN network interface), pTRTd
established mapping between IPv6 and IPv4 transport addresses,
translates the packet into IPv4 protocol and transmits it to the real
IPv4 only host in IPv4 Internet. Of course the pTRTd processes returing
responses and forward them to your IPv6 client as IPv6 packets.

Thus your IPv6 only hosts can see whole IPv4 world as a subnet in IPv6
address space.

-- Petr

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Grant Taylor]

On 10/16/08 02:16, Petr Pisar wrote:
> `Translating' is not proper word unless you mean real NAT-PT (Network 
> address translation and protocol translation).

I was going to use the term "gatewaying" to describe what needed to be 
done between the IPv6 and the IPv4 protocols.  "Translating" is usually 
done /with in/ a single protocol and "gatewaying" is usually done 
/between/ two protocols.  At least that's my take on it.

> If you want just to connect your IPv6 island via IPv4 Internet to 
> native IPv6 Internet backbone (i.e. bypass your lazy ISP), use 6to4 
> (in case you have public IPv4 address on your gateway) or AYIYA (in 
> other case). This is called tunneling and former post enlightened it 
> already.

*nod*

> If you want to be able to connect from your IPv6 host to IPv4 only 
> servers in IPv4 Internet, you have to choices:
> 
> Provide to all IPv6 hosts IPv4 connectivity (i.e. dual stack 
> solution), or do NAT-PT on your gateway.

I think the OP is wanting to avoid dual stack despite this probably 
being the simpler of the options.

> NAT-PT translates one protocol family into other one. However due to 
> some differences between these two protocols, the translation is not 
> seamless (like IPv4 NAPT). Thus there exist few limitations and 
> different solutions how to achieve it.
> 
> I know only about RFC3142 (An IPv6-to-IPv4 Transport Relay 
> Translator) implementation and it's pTRTd 
> <http://www.litech.org/ptrtd/> and totd 
> (http://www.vermicelli.pasta.cs.uit.no/software/totd.html). It works 
> following:
> 
> IPv6 only client asks totd name server for AAAA record of IPv4 only 
> host. The name server provides fake answer resolving to network 
> prefix routed to pTRTd server. Then your client sends IPv6 TCP or UDP 
> packet to given fake IPv6 address, the packet recieves pTRTd server 
> (a userspace daemon capturing packets on TUN network interface), 
> pTRTd established mapping between IPv6 and IPv4 transport addresses, 
> translates the packet into IPv4 protocol and transmits it to the real 
> IPv4 only host in IPv4 Internet. Of course the pTRTd processes 
> returing responses and forward them to your IPv6 client as IPv6 
> packets.
> 
> Thus your IPv6 only hosts can see whole IPv4 world as a subnet in 
> IPv6 address space.

Very interesting!

I now have a reason to mess with IPv6.



Grant. . . .


P.S.  Very good reply.  I was going to try to sum up the bit about 
translation verses gatewaying, but I think you did a better job than I 
could have.

Re: Transfer ipv6 packages over ipv4 iptables gateway to ipv4 ISP's network

[Elvir Kuric]

Hi all,

thank you for this constructive answers, they will help me a lot, with
this gatewaying/translation/whatever in my network. I think now I have
good basic to start working on it. Once I made it I promise I will
document all and send to this mailing list.

Kind regards ant thank you

Elvir Kuric

On Fri, Oct 17, 2008 at 7:45 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 10/16/08 02:16, Petr Pisar wrote:
>>
>> `Translating' is not proper word unless you mean real NAT-PT (Network
>> address translation and protocol translation).
>
> I was going to use the term "gatewaying" to describe what needed to be done
> between the IPv6 and the IPv4 protocols.  "Translating" is usually done
> /with in/ a single protocol and "gatewaying" is usually done /between/ two
> protocols.  At least that's my take on it.
>
>> If you want just to connect your IPv6 island via IPv4 Internet to native
>> IPv6 Internet backbone (i.e. bypass your lazy ISP), use 6to4 (in case you
>> have public IPv4 address on your gateway) or AYIYA (in other case). This is
>> called tunneling and former post enlightened it already.
>
> *nod*
>
>> If you want to be able to connect from your IPv6 host to IPv4 only servers
>> in IPv4 Internet, you have to choices:
>>
>> Provide to all IPv6 hosts IPv4 connectivity (i.e. dual stack solution), or
>> do NAT-PT on your gateway.
>
> I think the OP is wanting to avoid dual stack despite this probably being
> the simpler of the options.
>
>> NAT-PT translates one protocol family into other one. However due to some
>> differences between these two protocols, the translation is not seamless
>> (like IPv4 NAPT). Thus there exist few limitations and different solutions
>> how to achieve it.
>>
>> I know only about RFC3142 (An IPv6-to-IPv4 Transport Relay Translator)
>> implementation and it's pTRTd <http://www.litech.org/ptrtd/> and totd
>> (http://www.vermicelli.pasta.cs.uit.no/software/totd.html). It works
>> following:
>>
>> IPv6 only client asks totd name server for AAAA record of IPv4 only host.
>> The name server provides fake answer resolving to network prefix routed to
>> pTRTd server. Then your client sends IPv6 TCP or UDP packet to given fake
>> IPv6 address, the packet recieves pTRTd server (a userspace daemon capturing
>> packets on TUN network interface), pTRTd established mapping between IPv6
>> and IPv4 transport addresses, translates the packet into IPv4 protocol and
>> transmits it to the real IPv4 only host in IPv4 Internet. Of course the
>> pTRTd processes returing responses and forward them to your IPv6 client as
>> IPv6 packets.
>>
>> Thus your IPv6 only hosts can see whole IPv4 world as a subnet in IPv6
>> address space.
>
> Very interesting!
>
> I now have a reason to mess with IPv6.
>
>
>
> Grant. . . .
>
>
> P.S.  Very good reply.  I was going to try to sum up the bit about
> translation verses gatewaying, but I think you did a better job than I could
> have.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

is it possible to mix iprange and multiport modules?

[pedro noticioso]

Hi there friends!

I am managing a 15 node vpn network with well over 500 pcs scattered all over, so I am looking for creative ways to simplify and better control my traffic while replacing the old IT guys 1600 line-and-10 seconds to load  firewall script, so I tried a trick that did not seem to actually work:

/sbin/iptables -A INPUT -p tcp \
 -m multiport  --source-port 22,53,80,110,443,2525 \
 -m iprange --src-range 192.168.19.25-192.168.19.100 \
 -j ACCEPT

So, am I just dreaming here, or is there a nice trick out there to achieve my goal in an elegant manner?

thanks a lot!




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: is it possible to mix iprange and multiport modules?

[Amos Jeffries]

pedro noticioso wrote:
> Hi there friends!
> 
> I am managing a 15 node vpn network with well over 500 pcs scattered all over, so I am looking for creative ways to simplify and better control my traffic while replacing the old IT guys 1600 line-and-10 seconds to load  firewall script, so I tried a trick that did not seem to actually work:
> 
> /sbin/iptables -A INPUT -p tcp \
>  -m multiport  --source-port 22,53,80,110,443,2525 \
>  -m iprange --src-range 192.168.19.25-192.168.19.100 \
>  -j ACCEPT
> 
> So, am I just dreaming here, or is there a nice trick out there to achieve my goal in an elegant manner?
> 
> thanks a lot!
> 

I'll point you the way of 'ferm'. An iptables utility uses the 
iptables-restore interface for maximum speed on load. With a nice simply 
config file syntax to easily handle fast reload of some complex 
settings. Including methods of doing iterator loops, macro expansion, 
and such if needed.

   http://ferm.foo-projects.org/

NP: My bias here is that of a happy customer.

AYJ

Re: is it possible to mix iprange and multiport modules?

[Michal Soltys]

pedro noticioso wrote:
> Hi there friends!
> 
> I am managing a 15 node vpn network with well over 500 pcs scattered all over, so I am looking for creative ways to simplify and better control my traffic while replacing the old IT guys 1600 line-and-10 seconds to load  firewall script, so I tried a trick that did not seem to actually work:
> 
> /sbin/iptables -A INPUT -p tcp \
>  -m multiport  --source-port 22,53,80,110,443,2525 \
>  -m iprange --src-range 192.168.19.25-192.168.19.100 \
>  -j ACCEPT
> 
> So, am I just dreaming here, or is there a nice trick out there to achieve my goal in an elegant manner?
> 

Which version of iptables ? What about the other rules (and INPUT's 
default policy).

There was small bug in 1.4.1 not so long ago - 
http://marc.info/?l=netfilter-devel&m=121333737332600&w=2 .

Either way, the rule looks fine.