Redirect all traffic IPv6 (CIDR) to one VM (OPNsense)?

Thatoo

Member
Jun 11, 2021
53
0
11
38
Hello,

I have an IPv4 Iptables script that redirect all traffic of my single public IPv4 to my OPNsense VM (local IPv4) that I'm trying to edit in order to do the same but with IPv6.
I'd like not only Proxmox to be IPv6 ready (it is already) but also my OPNsense VM and all other VM and CT that are behind IPv4NAT to be IPv6 ready (with public IPv6 if possible : dual stack private IPv4 because of NAT and public IPv6).
Here is the script I have, working for IPv4 and that I started to modify for Ipv6 but I don't know how to continue...

Code:
#!/bin/sh

    # ---------
    # VARIABLES
    # ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (OPNsense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (OPNsense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of PubWanNET6
PubWanNET6="2a00:c70:1:xxx:xxx:xxx:xxx:1/96"
## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"

## Public IP => Your own public IP address
PublicIP="xxx.xxx.xxx.xxx"
PublicIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1"
## Proxmox IP on the same network than OPNsense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## OPNsense IP used by the firewall (inside VM)
OpnVmWanIP="10.0.0.2"
OpnVmWanIP6="2a00:c70:1:xxx:xxx:xxx:xxx:2"

    # ---------------------
    # CLEAN ALL & DROP IPV6
    # ---------------------

### Delete all existing rules.
iptables -F
ip6tables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
ip6tables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

    # --------------
    # DEFAULT POLICY
    # --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

    # ------
    # CHAINS
    # ------

### Creating chains
iptables -N TCP
iptables -N UDP
ip6tables -N TCP
ip6tables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

    # ------------
    # GLOBAL RULES
    # ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

    # --------------------
    # RULES FOR PrxPubVBR
    # --------------------

### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport ${SSHPORT} -j ACCEPT
ip6tables -A TCP -i $PrxPubVBR -d $PublicIP6 -p tcp --dport ${SSHPORT} -j ACCEPT
# Allow Proxmox WebUI fromVPN
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
ip6tables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP6 -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT

### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT

### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport ${SSHPORT} -j ACCEPT
# Allow PROXMOX WebUI output to VPN
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

### Redirect (NAT) traffic from internet
# All tcp to OPNsense WAN except ${SSHPORT}
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports ${SSHPORT} -j DNAT --to $OpnVmWanIP
# All udp to OPNsense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $OpnVmWanIP

# Allow request forwarding to OPNsense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $OpnVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (OPNsense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

service fail2ban restart

Could someone help me?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!