Re: ipv6 forward rule after prerouting - Howto

[Daniel Huhardeaux <tech@xxxxxxxxxx>]

Le 06/11/2019 à 19:50, Phil Sutter a écrit :
> Hi,
>
> On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
> > Hello,
> >
> > I setup prerouting rules with maps like
> >
> > chain prerouting {
> >      type nat hook prerouting priority 0; policy accept;
> >      iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
> >      if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
> >      dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
> >      dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
> >      ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
> >      ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
> >      ct status dnat accept
> >      }
> >
> > Default behavior in ip6 filter forward table is to drop. This means that
> > my above rules are blocked, I see (u18srv being the machine who will
> > forward the traffic to another one):
> >
> > 18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr
> > 0,nop,wscale 7], length 0
> >   
> >
> > 18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr
> > 0,nop,wscale 7], length 0
> > 18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
> > 126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr
> > 0,nop,wscale 7], length 0
> >
> > Now if I change my default value to accept for ip6 filter forward table,
> > all is good.
> >
> > Question: how can I add forward rule to filter table using the existing
> > maps which are defined in nat tables ? Other solution ?
> >
> > I thought that ct status dnat accept was the key to archieve my goal,
> > seems not :(
> >
> > Thanks for any hint
>
> Please be aware that 'accept' verdict will only stop the packet from
> traversing the current chain and any later chain may still drop the
> packet. Only 'drop' verdict is final in that sense.
>
> So regarding your problem, I guess you have to add the 'ct state' based
> accept rule to forward chain to prevent the drop policy to affect the
> packet. Your prerouting chain already has an accept policy, so explicit
> accepting shouldn't be needed.

Finally I got it work replacing redirect with dnat like

add rule ip6 nat prerouting ip6 daddr == $addripv6 ip6 nexthdr tcp dnat 
to : tcp dport map @redirect_tcp

Thanks for your help
--
TOOTAi Networks