On Tue, May 26, 2020 at 11:55:40AM -0700, Kenneth Porter wrote:
I finally got an ISP connection with working IPv6 and now I need to
add
firewall rules for forwarding connections from my LAN to the WAN. I'm using
firewalld to handle the high-level description that gets translated to
iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target
doesn't make sense.
Correct. Likely you don't want to NAT IPv6.
But I want similar connection logic, with no inbound connections
allowed to LAN clients and all outbound connections allowed. How does
one express this in either firewalld or its ip6tables "direct rules"?
At present firewalld does the same amount of forward blocking for IPv4
and IPv6. By default it allows outbound IPv4/IPv6, but inbound is
filtered out with some exceptions. See section about --set-target in man
page firewall-cmd(1).
You need forward filtering (iptables filter table FORWARD chain) to
allow services/port/etc. to internal servers/VM/containers. This is
currently in development for firewalld. I'm hoping it makes the next
feature release.
I don't currently need port-forwarding to internal servers but,
for
completeness, what would such rules look like?
Nothing. Filtering/blocking IPv6 is already occurring.