Re: Does IPv6 preclude use of a NAT gateway?
On Sunday 10 July 2011 09:48:46 am Henrique de Moraes Holschuh wrote:
> On Sat, 09 Jul 2011, Randy Kramer wrote:
> > When I switch to IPv6, will I lose the ability to keep my computers
> > behind a NAT gateway?
>
> Yes, for the address translation. Unless you hack something with
> mobile-ipv6, or use filtering application level gateways (which are a
> far superior solution anyway).
>
> But you can emulate the no-incoming-connection behaviour of
> restricted cone NAT and symmetric NAT with these two rules:
>
> ip6tables -I FORWARD -i <external interface> -m conntrack \
> --ctstate=NEW,INVALID -j DROP
> ip6tables -I INPUT -i <external interface> -m conntrack \
> --ctstate=NEW,INVALID -j DROP
>
> (the above was not checked for syntax errors)
Thanks!
> Please use a proper firewall, instead. A general blocade on incoming
> connections is _VERY_ crappy protection.
Well, perhaps, but I was going to mention to someone else earlier in the
thread--I've been using NAT gateways for something close to 20 years,
with very few problems (I can't recall any, atm) with anything evil
getting through to me, even in the days when I used Windows.
And hence, I never bothered to learn about firewalls or proxies. ;-)
I hate learning new stuff ;-) (But, I guess it will have to happen.)
> Also, ipv6 firewalling is very annoying on the gateway (due to the
> icmpv6 filtering which must be done right). When possible, get a
> script that does most of it right for you (or check RFC 4890).
Sounds like good advice.
Randy Kramer
Reply to: