Dual stack Ipv4/Ipv6 and Iptable

T

Thatoo

Member
Jun 11, 2021
58
0
11
38
Hello,

I have successfully followed this tutorial https://blog.zwindler.fr/2020/03/02/deploiement-de-proxmox-ve-6-pfsense-sur-un-serveur-dedie/ except I choose OPNsense instead of pfsense and it works very well. Thank you proxmox.
However, it works with 1 public Ipv4 only (and a NAT) and I'd like to try making it work with public IPv6 addresses also but I'm not sure how to do so.

I have tried to adapt my Iptable file to add IPv6 but without sucess... Here is what it looks like (Ipv4 is working nicely).

Code: 
#!/bin/sh

    # ---------
    # VARIABLES
    # ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (OPNsense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (OPNsense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
VmWanNET6="2a00:c70:1:xxx:xxx:xxx:xxx:1000/127"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
PrivNET6="2a00:0c70:0001:0xxx:0xxx:0xxx:0xxx:a000/116"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"

## Public IP => Your own public IP address
PublicIP="xxx.xxx.xxx.xxx"
PublicIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1"
## Proxmox IP on the same network than OPNsense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
ProxVmWanIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1000"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## OPNsense IP used by the firewall (inside VM)
OpnVmWanIP="10.0.0.2"
OpnVmWanIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1001"


    # ---------------------
    # CLEAN ALL & DROP IPV6
    # ---------------------

### Delete all existing rules.
iptables -F
ip6tables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
ip6tables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

    # --------------
    # DEFAULT POLICY
    # --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

    # ------
    # CHAINS
    # ------

### Creating chains
iptables -N TCP
iptables -N UDP
ip6tables -N TCP
ip6tables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

    # ------------
    # GLOBAL RULES
    # ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

    # --------------------
    # RULES FOR PrxPubVBR
    # --------------------

### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport ${SSHPORT} -j ACCEPT
ip6tables -A TCP -i $PrxPubVBR -d $PublicIP6 -p tcp --dport ${SSHPORT} -j ACCEPT
# Allow Proxmox WebUI fromVPN
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
ip6tables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP6 -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT

### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p udp --dport 53 -j ACCEPT

### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport ${SSHPORT} -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --sport ${SSHPORT} -j ACCEPT
# Allow PROXMOX WebUI output to VPN
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT
ip6tables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP6 -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

### Redirect (NAT) traffic from internet
# All tcp to OPNsense WAN except ${SSHPORT}
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports ${SSHPORT} -j DNAT --to $OpnVmWanIP
ip6tables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports ${SSHPORT} -j DNAT --to $OpnVmWanIP6
# All udp to OPNsense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $OpnVmWanIP
ip6tables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $OpnVmWanIP6

# Allow request forwarding to OPNsense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
ip6tables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP6 -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT
ip6tables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP6 -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT
#ip6tables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (OPNsense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE
#ip6tables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

service fail2ban restart

Could someone help me make Ipv6 working?
 
You must log in or register to reply here.
Top Bottom