Dual stack Ipv4/Ipv6 and Iptable

Thatoo

New Member
Jun 11, 2021
4
0
1
35
Hello,

I have successfully followed this tutorial https://blog.zwindler.fr/2020/03/02/deploiement-de-proxmox-ve-6-pfsense-sur-un-serveur-dedie/ except I choose OPNsense instead of pfsense and it works very well. Thank you proxmox.
However, it works with 1 public Ipv4 only (and a NAT) and I'd like to try making it work with public IPv6 addresses also but I'm not sure how to do so.

I have tried to adapt my Iptable file to add IPv6 but without sucess... Here is what it looks like (Ipv4 is working nicely).

Code:
#!/bin/sh

    # ---------
    # VARIABLES
    # ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (OPNsense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (OPNsense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
VmWanNET6="2a00:c70:1:xxx:xxx:xxx:xxx:1000/127"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
PrivNET6="2a00:0c70:0001:0xxx:0xxx:0xxx:0xxx:a000/116"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"

## Public IP => Your own public IP address
PublicIP="xxx.xxx.xxx.xxx"
PublicIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1"
## Proxmox IP on the same network than OPNsense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
ProxVmWanIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1000"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## OPNsense IP used by the firewall (inside VM)
OpnVmWanIP="10.0.0.2"
OpnVmWanIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1001"


    # ---------------------
    # CLEAN ALL & DROP IPV6
    # ---------------------

### Delete all existing rules.
iptables -F
ip6tables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
ip6tables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

    # --------------
    # DEFAULT POLICY
    # --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

    # ------
    # CHAINS
    # ------

### Creating chains
iptables -N TCP
iptables -N UDP
ip6tables -N TCP
ip6tables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

    # ------------
    # GLOBAL RULES
    # ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

    # --------------------
    # RULES FOR PrxPubVBR
    # --------------------

### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport ${SSHPORT} -j ACCEPT
ip6tables -A TCP -i $PrxPubVBR -d $PublicIP6 -p tcp --dport ${SSHPORT} -j ACCEPT
# Allow Proxmox WebUI fromVPN
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
ip6tables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP6 -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT

### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p udp --dport 53 -j ACCEPT

### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport ${SSHPORT} -j ACCEPT
ip6tables -A OUTPUT -o $PrxPubVBR -s $PublicIP6 -p tcp --sport ${SSHPORT} -j ACCEPT
# Allow PROXMOX WebUI output to VPN
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT
ip6tables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP6 -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

### Redirect (NAT) traffic from internet
# All tcp to OPNsense WAN except ${SSHPORT}
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports ${SSHPORT} -j DNAT --to $OpnVmWanIP
ip6tables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports ${SSHPORT} -j DNAT --to $OpnVmWanIP6
# All udp to OPNsense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $OpnVmWanIP
ip6tables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $OpnVmWanIP6

# Allow request forwarding to OPNsense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
ip6tables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP6 -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT
ip6tables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP6 -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT
#ip6tables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (OPNsense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE
#ip6tables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

service fail2ban restart

Could someone help me make Ipv6 working?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!