[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

On Sat, 09 Jul 2011, Randy Kramer wrote:
> When I switch to IPv6, will I lose the ability to keep my computers 
> behind a NAT gateway?

Yes, for the address translation.  Unless you hack something with
mobile-ipv6, or use filtering application level gateways (which are a far
superior solution anyway).

But you can emulate the no-incoming-connection behaviour of restricted cone
NAT and symmetric NAT with these two rules:

ip6tables -I FORWARD -i <external interface> -m conntrack \
	--ctstate=NEW,INVALID -j DROP
ip6tables -I INPUT -i <external interface> -m conntrack \
	--ctstate=NEW,INVALID -j DROP

(the above was not checked for syntax errors)

> It's probably not the best thing, but I depend on the NAT gateway for a 
> lot of my security--with IPv6, will I still be able to do that?

Please use a proper firewall, instead.  A general blocade on incoming
connections is _VERY_ crappy protection.

Also, ipv6 firewalling is very annoying on the gateway (due to the icmpv6
filtering which must be done right).  When possible, get a script that does
most of it right for you (or check RFC 4890).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: