Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ip6tables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 220

PostPosted: Wed Dec 04, 2019 4:50 am    Post subject: ip6tables Reply with quote

I am just starting to try to understand and configure IPv6 on my home network.

I can run "dhclient -6 ..." and get a working IPv6 address. The next question is ip6table rules.

I currently run a tight and complex set of iptables rules. Would it work to simply clone every iptables rule to an ip6tables rule (with appropriate changes for IP addresses)?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6333

PostPosted: Wed Dec 04, 2019 7:03 am    Post subject: Reply with quote

Short answer yes, but in the long term you'd be better off transitioning to nftables where one ruleset can do both (and there's no risk of leaving one completely unfirewalled, as most iptables users currently are).
Back to top
View user's profile Send private message
mike155
Veteran
Veteran


Joined: 17 Sep 2010
Posts: 1959
Location: Frankfurt, Germany

PostPosted: Wed Dec 04, 2019 4:41 pm    Post subject: Re: ip6tables Reply with quote

mgnut57 wrote:
I can run "dhclient -6 ..." and get a working IPv6 address. The next question is ip6table rules.

You can use dhclient to get an IPv6 IP address, but you don't have to - IPv6 supports stateless autoconfiguration (SLAAC).
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Wed Dec 04, 2019 6:12 pm    Post subject: Reply with quote

mgnut57,

Like mike155 says, IPv6 just works. Your ISP turns it on one day and you have a public IPv6 address.
Nothing between you and the big bad internet apart from lots of empty address space and you didn't even know it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 220

PostPosted: Thu Dec 05, 2019 5:08 am    Post subject: Reply with quote

NeddySeagoon wrote:
mgnut57,

Like mike155 says, IPv6 just works. Your ISP turns it on one day and you have a public IPv6 address.
Nothing between you and the big bad internet apart from lots of empty address space and you didn't even know it.


All my ethernet interfaces all appear to have IPv6 addresses, but they don't work. When I used "dhclient -6", I got a working IPv6 address.

What's the point of and where did the IPv6 addresses come from? Even the machines behind the router have IPv6 addresses. I have assumed they are some kind of default address. Is this not true?

I just found a reasonable default set of ip6tables and set that up so that I can safely test ipv6.


Last edited by mgnut57 on Thu Dec 05, 2019 6:05 am; edited 1 time in total
Back to top
View user's profile Send private message
ali3nx
l33t
l33t


Joined: 21 Sep 2003
Posts: 634
Location: Winnipeg, Canada

PostPosted: Thu Dec 05, 2019 5:25 am    Post subject: Reply with quote

One thing i discovered when learning ipv6 in more recent years since my isp in canada flipped the switch on live ipv6 support is the difference between publicly routable ipv6 and the non routable local address ranges.

Currently i don't have a modem from my isp that provides ipv6 so portraying the differences with examples is not currently an easy option however i found this ipv6 course that's not entirely free but does have many concepts available without requiring purchasing the entire course. Still the free course material offered offers some great perspective.

The sections on ipv6 address types and routing are concepts anyone needs to learn because the ipv4 death knell is already here and not going away.

https://networklessons.com/ipv6

It was hilarious discovering my router had been assigned an entire /64 subnet the first time i tested it. Felt like i had my own planet to terraform and do with as i pleased :lol:
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Thu Dec 05, 2019 11:52 pm    Post subject: Reply with quote

ali3nx,

You are not supposed to subnet a /64 but you can. That's why you have a /64. Your ISP can't give you any less.
When I signed up for a trial (free) I got a /48 for my subnets and a separate /64 just for my ppp uplink.

If you have a global scope IPv6 address it will start with a 2. That's the big bad internet.

IPv4 isn't going away any time soon.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mgnut57
Apprentice
Apprentice


Joined: 12 Jan 2008
Posts: 220

PostPosted: Fri Dec 06, 2019 3:31 am    Post subject: Reply with quote

NeddySeagoon wrote:
mgnut57,

Like mike155 says, IPv6 just works. Your ISP turns it on one day and you have a public IPv6 address.
Nothing between you and the big bad internet apart from lots of empty address space and you didn't even know it.


What if it doesn't?

My experience is that my interface doesn't have an IPv6 address (other than the link local address). Is it possible that my ISP (Comcast) could support dhcp for IPv6, but not autoconfiguration?

Or is there an iptables or kernel configuration that I need to set? I could not find anything in the kernel config and my ip6tables config was wide open (default allow, no rules).

Update: having read some more, I wonder if the problem is that my cable modem doesn't support SLAAC.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum