LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2015, 03:54 PM   #1
fransdb
LQ Newbie
 
Registered: Apr 2010
Posts: 9

Rep: Reputation: 0
How-to obscure local IPv6 addresses for the world


I am using IPv4 currently where only my server is exposed to the outside world. All other devices are hidden behind a second FW and can't be reached from the outside world.
I also have a static IPv6 address but does not use it yet. Now, I am looking to start using the dual-stack option, but I am afraid that my local systems are being reachable from the outside world.

There is much data about IPv6 on the Internet, but I have not found (yet) info on how to shield your local systems as good as on a IPv4 network.

Hope someone can point me in the right direction or has ready answers

Regards, Frans.
 
Old 11-04-2015, 12:22 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,138

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
NAT gave IPv4 some immunity by accident since you can't receive unsolicited traffic from the internet. For IPv6 you should block all traffic at the firewall using ip6tables and only open the ports where you need to receive traffic. If your box does not need to receive unsolicited traffic, then you should only route established tcp sessions to it using connection tracking. This means you forward "NEW" packets from inside to outside and "ESTABLISHED,RELATED" from outside to inside. This creates some issues with services that open a secondary port, but they are the same issues as IPv4/NAT.

https://www.sixxs.net/wiki/IPv6_Firewalling
 
Old 11-04-2015, 12:25 PM   #3
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,661

Rep: Reputation: Disabled
Reading.
 
Old 11-04-2015, 02:56 PM   #4
fransdb
LQ Newbie
 
Registered: Apr 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for the pointers. The thing is that I just don't want the outside world to knock on my local systems. They can knock on my inner FW, but no further. It is not that I have a need to really obscure my IPv6 addresses, just don't want the outside world in without reason.

Come to think of, my inner FW just blocks every incoming request too. I only needed to use NAT on the outside FW. Using dual-stack I still need this for IPv4 protocols, but there is no need for it when using IPv6. As long as my local systems are not directly reachable for the outside using a FW.

Ok, I think I understand it a little better and will take the next step into the experiment.

--, Frans.

Last edited by fransdb; 11-04-2015 at 02:59 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
why do i have two global ipv6 addresses mpyusko Debian 6 02-05-2014 08:47 AM
LXer: ITC: How an obscure bureaucracy makes the world safe for patent trolls LXer Syndicated Linux News 0 09-22-2012 02:31 PM
[SOLVED] how to map local addresses to FQDN addresses with postfix sneakyimp Linux - Server 5 08-04-2011 03:18 PM
LXer: Another IPv6 Crash Course For Linux: Real IPv6 Addresses, Routing, Name Services LXer Syndicated Linux News 0 04-21-2011 07:40 AM
[SOLVED] Validate IPv6 addresses ashok.g Programming 2 06-19-2010 04:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration