Please add more IPv6 examples. about aif HOT 6 CLOSED

First, let's use the documentation prefix 2001:db8::/32 for examples so we don't get confused.

Take a look at the default firewall.conf file, lots of example there:
https://raw.githubusercontent.com/arno-iptables-firewall/aif/master/etc/arno-iptables-firewall/firewall.conf

Look for INET_FORWARD_TCP, you should see an example for what you want to do.

# TCP/UDP port forward examples:
# Simple (IPv6 forward port 80 to internal host 2001:db8::2):
#       INET_FORWARD_TCP="::/0>2001:db8::2~80"

Additionally, the # (hash) character is to specify an interface, and a ~ (tilde) denotes a port or protocol.

Hope that helps.

from aif.

Additionally, the # (hash) character is to specify an interface, and a ~ (tilde) denotes a port or protocol.

With the FORWARD rules, this is true and I have been using rules such as 1.2.3.4#0/0~80>5.6.7.8 for a while now.
With the OPEN_{TCP,UDP} rules, not so. The OPEN rules really do use a # to separate IP and port. Attempting to use a ~ to separate IP and port in the OPEN rules breaks them. I cannot remember how I found out about this, as it is not documented (or I can't find it anymore) but I have been using those rules for a number of years now.

The version of AIF that I'm running is 2.0.1e included in Debian Stretch (testing).

from aif.

This works for me...

OPEN_TCP="2001:db8::2,2001:db8::3#80"

$ ip6tables -nvL EXT_INPUT_CHAIN

Chain EXT_INPUT_CHAIN (4 references)
 pkts bytes target     prot opt in     out     source               destination         
...
    0     0 ACCEPT     tcp      +      *       ::/0                 2001:db8::2          tcp dpt:80
    0     0 ACCEPT     tcp      +      *       ::/0                 2001:db8::3          tcp dpt:80

Note that by using the # (hash) you are selecting only specific destination IP's in such cases where the external interface has multiple IP's assigned to it.

OPEN_{TCP,UDP} typically only contains port numbers unless the interface or destination IP is also defined and as such the # (hash) is used as the delimiter.

Is there something that is not working or you want to filter something specific ?

from aif.

@phyber I checked and a fix to handling IPv6 addresses before a '#' was added to AIF 2.0.1f with commit b0476a5

So that explains your initial issue you stated and why it works now.

@arnova Do you know how Debian can get updated to 2.0.1f ?

from aif.

Oof, wow. Over a year ago. I guess the Debian packager just needs a prod. Apologies for wasting your time on this :)

Edit: Just applied the patch from b0476a5 and it works great, thanks.

from aif.

@abelbeck : Normally the Debian maintainer will upload a new version as soon as we've released a new stable. As an alternative (in the meantime) one could simply uninstall the debian package and just use our tarball (fairly easy with the install script that comes with it).

from aif.