[opensuse] NAT / PAT @ IPv6
Hi all, Before getting any comments, let me state that i'm very happy that with IPv6 most people do not need the masquerade their local IP addressen any more. However, as an admin, it is sometimes very handy to be able to do network and/or port translation. So while keeping un-modified clients, you can divert them (temporarily) to another process. With iptables this can easily achieved with a DNAT. How can i do likewise with ip6tables? (as there is no nat-table) Kind regards, Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/27/2014 01:59 PM, Hans Witvliet wrote:
Hi all,
Before getting any comments, let me state that i'm very happy that with IPv6 most people do not need the masquerade their local IP addressen any more.
However, as an admin, it is sometimes very handy to be able to do network and/or port translation. So while keeping un-modified clients, you can divert them (temporarily) to another process.
With iptables this can easily achieved with a DNAT.
How can i do likewise with ip6tables? (as there is no nat-table)
Kind regards, Hans
Hans, Since kernel 3.7, ip6tables has had NAT support. Which version of openSUSE/kernel are you running? Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2014-05-27 at 17:08 -0700, Brandon Vincent wrote:
On 05/27/2014 01:59 PM, Hans Witvliet wrote:
Hi all,
Before getting any comments, let me state that i'm very happy that with IPv6 most people do not need the masquerade their local IP addressen any more.
However, as an admin, it is sometimes very handy to be able to do network and/or port translation. So while keeping un-modified clients, you can divert them (temporarily) to another process.
With iptables this can easily achieved with a DNAT.
How can i do likewise with ip6tables? (as there is no nat-table)
Kind regards, Hans
Hans,
Since kernel 3.7, ip6tables has had NAT support. Which version of openSUSE/kernel are you running?
Brandon Vincent
Hi, i know this was mentioned, but generally. At least 3.7? that explains why i can not find it in OS_12.2 and SLES11sp3 (where i was looking) So it should be available (not just kernel, but also in userland-tools like ip6tables) in 12.3, 13.1 and hopefully in SLES12 ? hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/28/2014 12:20 AM, Hans Witvliet wrote:
Hi, i know this was mentioned, but generally. At least 3.7? that explains why i can not find it in OS_12.2 and SLES11sp3 (where i was looking)
So it should be available (not just kernel, but also in userland-tools like ip6tables) in 12.3, 13.1 and hopefully in SLES12 ?
hans
ip6tables should be included in earlier versions of OpenSUSE and SLES, as the IPv6 stateful inspection kernel module has been available since kernel version 2.6.20. Disagreements over the need for IPv6 NAT support postponed the module from being developed, and thus the delay in release until 3.7. As for SLES12, I don't know if they have backported the kernel module into the older kernel. If so, "modprobe ip6table_nat" should inform you if the kernel module is present or not. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/28/2014 01:33 PM, Brandon Vincent wrote:
ip6tables should be included in earlier versions of OpenSUSE and SLES, as the IPv6 stateful inspection kernel module has been available since kernel version 2.6.20. Disagreements over the need for IPv6 NAT support postponed the module from being developed, and thus the delay in release until 3.7.
What would be nice would be configuration tools in Yast, as there is for IPv4. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/28/2014 10:42 AM, James Knott wrote:
On 05/28/2014 01:33 PM, Brandon Vincent wrote:
ip6tables should be included in earlier versions of OpenSUSE and SLES, as the IPv6 stateful inspection kernel module has been available since kernel version 2.6.20. Disagreements over the need for IPv6 NAT support postponed the module from being developed, and thus the delay in release until 3.7.
What would be nice would be configuration tools in Yast, as there is for IPv4.
Or use Shorewall. I find it easier to understand than yast. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/28/2014 04:07 PM, John Andersen wrote:
What would be nice would be configuration tools in Yast, as there is for
IPv4.
Or use Shorewall. I find it easier to understand than yast.
I thought Shorewall was just a firewall. All the usual tools for IPv6, such as DHCP are missing. For example, I'm currently trying to figure out how to use dhcp6 to send the IPv6 address for my DNS server to devices that don't use static configuration. Right now, if a device relies on DHCP for IPv4, then it can only get the IPv4 address. Just adding option dns_servers to dhcp6.conf and starting the dhcp6 server doesn't seem to do the trick. IPv6 has been in use for years and becoming more popular. In a few years, it will be essential. It would be nice if the tools to properly use it were available. BTW, is there an dhcp6 routers option? I can't seem to find one. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/28/2014 1:15 PM, James Knott wrote:
On 05/28/2014 04:07 PM, John Andersen wrote:
What would be nice would be configuration tools in Yast, as there is for
IPv4.
Or use Shorewall. I find it easier to understand than yast.
I thought Shorewall was just a firewall. All the usual tools for IPv6, such as DHCP are missing. For example, I'm currently trying to figure out how to use dhcp6 to send the IPv6 address for my DNS server to devices that don't use static configuration.
The thread was going in the direction of iptables (firewall/router) stuff. If it somehow went off on a dhcp tangent, I apologize for missing that fact.
Right now, if a device relies on DHCP for IPv4, then it can only get the IPv4 address. Just adding option dns_servers to dhcp6.conf and starting the dhcp6 server doesn't seem to do the trick. IPv6 has been in use for years and becoming more popular. In a few years, it will be essential. It would be nice if the tools to properly use it were available.
BTW, is there an dhcp6 routers option? I can't seem to find one.
See... http://shorewall.net/IPv6Support.html -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/28/2014 04:07 PM, John Andersen wrote:
What would be nice would be configuration tools in Yast, as there is for
IPv4.
Or use Shorewall. I find it easier to understand than yast.
I thought Shorewall was just a firewall. All the usual tools for IPv6, such as DHCP are missing. For example, I'm currently trying to figure out how to use dhcp6 to send the IPv6 address for my DNS server to devices that don't use static configuration. Right now, if a device relies on DHCP for IPv4, then it can only get the IPv4 address. Just adding option dns_servers to dhcp6.conf and starting the dhcp6 server doesn't seem to do the trick.
The device has to support it too :-) There are plenty of devices that are ipv4-only (I'm sure you know).
BTW, is there an dhcp6 routers option? I can't seem to find one.
There isn't one afaik - I use radvd instead. -- Per Jessen, Zürich (12.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/29/2014 04:56 AM, Per Jessen wrote:
The device has to support it too :-) There are plenty of devices that are ipv4-only (I'm sure you know).
I'm testing with a notebook computer running openSUSE 13.1 with network manager. I've tried the various settings for dhcp6 in it.
BTW, is there an dhcp6 routers option? I can't seem to find one. There isn't one afaik - I use radvd instead.
I would too, but the tunnel client I'm using to get IPv6 doesn't use it and can only be configured for one subnet. If I try to use radvd, I lose the main network IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/29/2014 04:56 AM, Per Jessen wrote:
The device has to support it too :-) There are plenty of devices that are ipv4-only (I'm sure you know).
I'm testing with a notebook computer running openSUSE 13.1 with network manager. I've tried the various settings for dhcp6 in it.
Okay. I'm not using dhcpv6, using radvd has worked for me sofar, though I haven't checked if resolv.conf is correctly updated.
BTW, is there an dhcp6 routers option? I can't seem to find one. There isn't one afaik - I use radvd instead.
I would too, but the tunnel client I'm using to get IPv6 doesn't use it and can only be configured for one subnet. If I try to use radvd, I lose the main network IPv6.
I'm not exactly an expert, but my radvd.conf also has only one subnet. Seems like you ought to be able to use radvd regardless of your type of uplink? -- Per Jessen, Zürich (12.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/29/2014 07:56 AM, Per Jessen wrote:
I'm not exactly an expert, but my radvd.conf also has only one subnet. Seems like you ought to be able to use radvd regardless of your type of uplink?
You'd think so, but it doesn't work. I've tried adding the new subnet or both subnets to it and I always lose the main one. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Brandon Vincent -
Hans Witvliet -
James Knott -
John Andersen -
Per Jessen