Allowing IPv6 traffic to device with dynamic routing prefix behind an ip6tables firewall

The first step would be somehow assign a static interface ID to the device.

Although this should always be the case (even if your device enabled RFC4941 – Privacy Extensions for Stateless Address Autoconfiguration in IPv6, there’ll still be a stable address along with the privacy address), you might consider it’s somewhat unsafe or undesirable if your system has not implemented RFC7217 – A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC) yet, as that will expose your MAC address to outside world.

It’s possible to specify the interface ID by specifying a token to the interface, for example, by specifying a pre-up command in /etc/interfaces.d/eth0:

The next step is to allow the traffic to pass the firewall. ip6tables allows specifying a mask when matching destination address, so we can use ::ffff:ffff:ffff:ffff as the mask to ignore the site prefix and subnet ID:

Unfortunately, although some utility allows us to use -64 for ::ffff:ffff:ffff:ffff, it’s not the case for ip6tables. So we need to use the mask here.

A caveat: This only works if you want to forward traffic to your stable address, for privacy address, this won’t work. So P2P programs who use privacy addresses (Transmission, for example, would “opts to use a private suffix if privacy extensions are enabled”) will probably still not work.

Leave a Reply

Your email address will not be published.