Re: Does IPv6 preclude use of a NAT gateway?

From: Henrique de Moraes Holschuh <hmh@xxxxxxxxxx>
Date: Sun, 10 Jul 2011 10:48:46 -0300

On Sat, 09 Jul 2011, Randy Kramer wrote:

When I switch to IPv6, will I lose the ability to keep my computers
behind a NAT gateway?

Yes, for the address translation. Unless you hack something with
mobile-ipv6, or use filtering application level gateways (which are a far
superior solution anyway).

But you can emulate the no-incoming-connection behaviour of restricted cone
NAT and symmetric NAT with these two rules:

ip6tables -I FORWARD -i <external interface> -m conntrack \
--ctstate=NEW,INVALID -j DROP
ip6tables -I INPUT -i <external interface> -m conntrack \
--ctstate=NEW,INVALID -j DROP

(the above was not checked for syntax errors)

It's probably not the best thing, but I depend on the NAT gateway for a
lot of my security--with IPv6, will I still be able to do that?

Please use a proper firewall, instead. A general blocade on incoming
connections is _VERY_ crappy protection.

Also, ipv6 firewalling is very annoying on the gateway (due to the icmpv6
filtering which must be done right). When possible, get a script that does
most of it right for you (or check RFC 4890).

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20110710134846.GA613@xxxxxxxxxxxxxxxxxxxxx

Follow-Ups:
- Re: Does IPv6 preclude use of a NAT gateway?
  - From: Randy Kramer
- Re: Does IPv6 preclude use of a NAT gateway?
  - From: Teemu Likonen

References:
- Does IPv6 preclude use of a NAT gateway?
  - From: Randy Kramer

Prev by Date: Re: ntfs-3g does not mount any more
Next by Date: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Previous by thread: Re: Does IPv6 preclude use of a NAT gateway?
Next by thread: Re: Does IPv6 preclude use of a NAT gateway?
Index(es):
- Date
- Thread

Relevant Pages

Re: [9fans] Do we have a catalog of 9P servers?
... plan9 lets you combine simple commands to provide all sorts ... the gateway even if it only rarely communicates with the outside world, ... NAT and RSVP. ... There are many other Linux NAT solutions that do NAT ...
(comp.os.plan9)
Re: Do you have a FreeBSD NAT gateway?
... my xDSL provider provides a router, not a modem, which means that it does NAT already at the router. ... I have configured the xDSL router to forward all ports to my firewall / NAT gateway. ... setting up a caching dns on you gateway, or testing for dns problems on your Mac mini? ...
(comp.unix.bsd.freebsd.misc)
Re: Do you have a FreeBSD NAT gateway?
... Do you use the NAT feature of pf or do you use the NAT at ... I've had a NAT gateway for, oh, 6 years or so. ... Now I run it with two interfaces and the switch is the back-end network. ... # the fastforwarding speed optimizations still breaks my ipnat setup. ...
(comp.unix.bsd.freebsd.misc)
Re: ntpd on a NAT gateway seems to do nothing
... of 123 whilst ntpdate will use a dynamic source port. ... will be competing for the same ip quadtuple at the NAT box. ... Usually the clients behind the NAT gateway use the ntpd ...
(freebsd-stable)
Re: Routing with red hat 9.0
... >>I believe that all you need to do is set each internal node's gateway to ... >>Are you going to NAT each internal node to different ISP ips? ...
(comp.os.linux.networking)