ipv6 firewall – how do I refer to the attached network

Steve Davies asked:

I am in a dual-stack IPv4/IPv6 environment behind an ISP’s router which handles all of the IPv6 setup, so the IPv6 address(es) allocated cannot be assumed to be static.

My linux server is configured automatically with the following style of addresses:

inet 192.168.0.2  netmask 255.255.255.0  broadcast 192.168.0.255
inet6 2a02:...snip...:cc29  prefixlen 64  scopeid 0x0<global>
inet6 fd98:...snip...:cc29  prefixlen 64  scopeid 0x0<global>
inet6 fe80:...snip...:cc29  prefixlen 64  scopeid 0x20<link>

The local netowrk for ipv4 is simple, but how do I refer to devices on the local network in ip6tables. I have already added rules for the simple cases:

-A blockin -p tcp -m tcp -m state --source fe80::/10 --dport 22 --state NEW -j ACCEPT 
-A blockin -p tcp -m tcp -m state --source fc00::/7  --dport 22 --state NEW -j ACCEPT 

but how do I handle the use of a global address from a local source when it is not a static value?

Or does IPv6 define this as a non-problem somehow by assuring that one of the 2 local addresses will be used at all times?

My answer:


The usual solution for having global dynamic IPv6 addresses is to use unique local addresses (ULA) in your local network for resources on your local network. This puts you in complete control of the addresses you use on your network.

Note that ULA addresses cannot be used to reach the global Internet; that’s not their purpose.

Depending on your local network setup it may be as simple as ticking one checkbox in your router’s (not your ISP’s router) configuration to get ULA addressing going.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.