-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/07/2017 08:35 AM, Luke Jordan wrote: > Am 26.12.2016 um 22:44 schrieb Tom Eastep: >> >> My personal approach to multiple IPv6 providers is to assign my >> local networks prefixes delegated from one of my provider's >> routers and simply use SNAT when sending traffic out of the other >> provider. That is stateful and supports problem protocols like >> FTP. > > can you give me an configuration example for this?
I have two providers, IPv6Beta and HE. /etc/shorewall6/shorewall6.conf: USE_DEFAULT_RT=Yes /etc/shorewall6/providers: IPv6Beta 1 0x100 - eth0 fe80::22e5:2aff:feb7:f2cf\ track,primary,loose,persistent HE 2 0x200 - sit1 - track,fallback,persistent Most local networks have IPv6 addresses delegated by the router on eth0 and are in 2601:601:8b00:bf0::/60 (as is the address of eth0) I have one local network that has addresses routed via sit1 (2001:470:b:227::/64). The IP address of sit1 is 2001:470:a:227::2 /etc/shorewall6/snat: SNAT(&sit1) 2601:601:8b00:bf0::/60 sit1 SNAT(ð0) 2001:470:b:227::/64,2001:470:a:227::2 eth0 When I was running a version of Shorewall that still used the masq file, the corresponding entries were: sit1 2601:601:8b00:bf0::/60 &sit1 IPv6Beta 2001:470:b:227::/64,2001:470:a:227::2 ð0 /etc/shorewall6/rtrules: 2001:470:B:227::/64 ::/0 HE 11000 2601:601:8b00:bf0::/60 ::/0 IPv6Beta 11000 > >> In Netfilter, NPT is stateless, so it is a pain to use. There is >> therefore no formal support for NPT in Shorewall6 (the >> shorewall6-netmap(5) file is no longer usable since the >> Netfilter rawpost table has been removed). It is possible to >> configure NTP in shorewall-mangle(5) (assuming that your kernel >> and ip6tables support the SNPT and DNPT targets) but there is >> currently no documentation for how to do that. >> >> A brief outline of what is required: >> >> Add SNTP and DNPT as a builtin actions in >> /etc/shorewall6/actions: >> >> SNPT builtin,mangle,terminating DNPT builtin,mangle,terminating >> >> To configure DNPT in the shorewall6/mangle file: >> >> IP6TABLES(DNPT --src-pfx <prefix/length> --dst-pfx >> <prefix/length> ):P ... >> >> and to configure SNPT: >> >> IP6TABLES(SNPT --src-pfx <prefix/length> --dst-pfs >> <prefix/length> ):T ... >> >> See iptables-extensions(8) for additional information on SNPT >> and DNPT. In particular, you must disable connection tracking for >> the translated flows in shorewall-conntrack(5). > > it doesn't work: > > /etc/shorewall6/mangle: MARK(768):P eth0 - tcp > 22,47238,52486 # > ssh traffic by dsl MARK(512):P eth0 - - > - # other traffic by > cbl > > IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx > fdae:fa7:dead:beef::/64 ):P eth0 - - - > > IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef::/64 --dst-pfx > 2001:XXXX:YYYY:100::/64 ):P eth0 - - - > > result: > > Checking /etc/shorewall6/mangle... ERROR: Invalid ACTION > (IP6TABLES(DNPT --src-pfx 2001:XXXX:YYYY:100::/64 --dst-pfx > fdae:fa7:dead:beef::/64 ):P) /etc/shorewall6/mangle (line 18) > > fdae:fa7:dead:beef::/64 is the local network, > 2001:XXXX:YYYY:100::/64 the network of a provider. > Did you add DNPT as a nat builtin action in /etc/shorewall6/actions? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYcSFPAAoJEJbms/JCOk0Qt9IQALYk8mjnfgefLHEkrJUKruFy J8RVEb2AfsgTeDty2Znkc6i/aYAQLb7KvxbiFMDUSwfAddpwo29ydxjiiUReZ6gl I54nJVXhm7wpPonzVxEC8LRtLMaRUamSFWEjhP0zWBkf2NH9DZkWUvaBxq8NZD2b czLvECSD4W0QZA+stlF8c2zYbCEjWUdGWeSDIS2ZpGfSS1Fm54fQzUxevPm+J6Sm SG2eN7vsi7gg5IupyiToOBq1byVCkFDcDxHatO9f4kysnSRs5SdNIsHDk7yiS1jE queL2CtEtAl+OGxAWNLyRSfqxJ5qlm6i4oJsOXTylVM+LUhMffwFsBFDfJw3ZHNc EuDPYSoR7rOUTBz1OQWdNsRlJUy9lCmIQWFzTdI4WKh5bo710JO7DFqZrQnoJmoL 7NRBI5cjZ0CSAiUTnAI3oxhIPO8G/IXQ9H5Zb2Qo1wkCz0Dy2S0CFFGbZyYPktLM DkMc24QfsN9iIaGu4/uObjSidvsJ8B7Y4gLTnDgkifmdb5gZqZJuKwOdCt2vDQT0 wfzHMV48VjoNJVp9kXUC5xMpR0DHJI/gbJGK03BYH2SOFtv+5/HRKvst0DD88gMJ xpW6/VFnFbMNz+MIS2jZiVydOzYTLnj0wl19TOGE0FEMe5uDg+pwBaG68eD5Kjno 8J7VZQPWNtvEciS/ZUZO =+BOo -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users