0

all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:

3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
    valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute 
   valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute 
   valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute 
   valid_lft forever preferred_lft forever

Some more complex devices (service providers) have a iptables firewall installed with:

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.

Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?

Thank you

EDIT 20181118: RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.

Community
  • 1
Santobert
  • 1
  • 5
  • 1
    https://superuser.com/questions/436574/ipv4-vs-ipv6-priority-in-windows-7 – rtaccon Nov 17 '18 at 17:34
  • [RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6)](https://tools.ietf.org/html/rfc6724) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC. – Ron Maupin Nov 17 '18 at 20:18
  • Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution. – Santobert Nov 18 '18 at 09:45

1 Answers1

2

Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.

If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.

dirkt
  • 16,421
  • 3
  • 31
  • 37
  • This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not. – Santobert Nov 18 '18 at 09:44
  • RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as *source* addresses shows that sometimes GUAs and sometimes ULAs are used as *destination* addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing `/etc/gai.conf` should allow you to prefers ULAs as destination address, fixing the problem. – dirkt Nov 18 '18 at 16:54
  • If you want to determine whether packets come from your subnet or not, you can if course check for *all* prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS. – dirkt Nov 18 '18 at 16:56
  • Thanks for the clarification. I've read some other posts like [this](https://superuser.com/questions/802973/ip6tables-how-to-handle-periodically-changing-prefix) that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain? – Santobert Nov 18 '18 at 20:38
  • As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using `/etc/hosts`). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via `/etc/gai.conf`, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can base `iptables` entries on that. – dirkt Nov 19 '18 at 06:43
  • So think about your DNS infrastructure. `iptables` will always work on a numeric basis. You can regularly update the entries from current DNS, or force synchronicity via dynamic DNS, but DNS is the key point. – dirkt Nov 19 '18 at 06:44
  • The GUA prefix comes from my ISP. I get a complete dual stack. Unfortunately, the prefix changes often, so I can't rely on it. My local DNS server runs on my router (AVM FritzBox 7590). I can't control the DNS directly via the web interface because there are no options. I would use the GUA prefix for iptables if it wasn't changed so often. Thank you very much for your help and patience. – Santobert Nov 19 '18 at 08:36
  • So the choice is (1) change all clients, either `gai.conf` (try on a single client first), or dedicated `/etc/hosts` for ULAs. Mass changing these via `ssh` is easy if keys are installed; (2) move DNS from the Fritzbox to some other device you control; (3) hack the Fritzbox DNS by exporting the configuration, decrypting it (google), adding static DNS entries for ULAs, and importing it again. – dirkt Nov 19 '18 at 08:43
  • Thank you. I'll think about it. My preferred solution is (2) using a dedicated DNS. It looks like the cleanest solution to me. – Santobert Nov 19 '18 at 08:59