ip6tables: how to handle periodically changing prefix?

iptables ipv6

My ISP provides me with native IPv6 (unfortunately DS-Lite for v4) and I'm using SLAAC for the clients in my local network behind a broadband router.

As I don't trust the router (which is configured by my ISP over TR-691) I have set up ip6tables rules on every client, e.g. limiting SSH access to stations in the same subnet:

$ ip6tables -A services -s 2a02:8071:28c2:5400::/64 -p tcp --dport 22 -j ACCEPT

The problem now is that the prefix changes periodically, approx. once a month.

Is there an ip6tables statement that dynamically matches the current prefix(es) of a given interface?

Or how would you handle the changing prefix? I thought of writing an init script that first determines the current prefix through Router-Solicitation an then generates the appropreate ip6tables rules. But this sounds dirty somehow...


In theory, the right way to handle this is with DHCP Prefix Delegation and dynamic DNS.

So, it would work like this:

1) your router linux instance requests an IPv6 address as well as an IPv6 prefix delegation from the ISP on interface A

2) it assigns one /64 from the delegated prefix to interface B, which has all the other machines. It advertises this prefix via RA packets and/or via the DHCP server daemon of your choice

3) clients grab IPv6 addresses and register themselves in local DNS by hostname, or respond to mDNS requests for that name if they're running bonjour, Avahi, etc.

4) firewall rules and pretty much any other network-related configuration is based on host names, not IP addresses. This is the IPv6 way: DNS names good, literal addresses bad because they are hard to remember and type.

The major problem you'll find is that iptables and ip6tables only support hostname-based rules by resolving hostnames once during rule installation. So you'll probably have to write some script to re-install rules whenever the prefix changes. Worse, if a host is offline or not resolvable by mDNS or DDNS at rule install time, things will break silently.

In short, ip(6)tables is just plain broken for any case where IP addresses change, even on IPv4. This means it is broken for any network of reasonable size, at least on a system acting as a router.

Lots of commercial firewall products handle this use case much better (even though many are linux based, such as SonicWall). I suspect they simply re-resolve FQDNs periodically based on TTL and update IPtables or their custom networking kernel modules.

Related

Windows 7 UAC lightbox is slow to appear - can it be sped up?
DNS responding only to nslookup in Windows 7
How to fix fonts in Firefox Windows 7
How to create bootable recovery partition to restore windows 7 partition as it is now
wmic product get does not get all programs
In Powershell, is there a way to save a typed command into history without executing it for later execution?
creating a named host for virtualbox accessible from host
How can I import h.264 encoded MOV files into windows movie maker?
Repair corrupted NTFS File System
Redirection sends me to the same page when I press "Back"
How can I copy part of the huge file to new file?
List availible NICs on Linux