IPv6 port forwarding and port existing iptables rules to firewalld service

Latest response

We currently enforce the firewall configuration using iptables and ip6tables. The iptables rules are being stored in a file and effected using iptables-restore and ip6tables-restore command. I have 2 questions on this:
1) Using ip6tables, is there a way to redirect the IPv6 TCP traffic arriving at a specific port to another port within same interface?
2) As an alternative, we are also exploring the firewalld service to do this. The firewalld service seems to be persisting the rules in XML files. Is there any easy way to translate the existing iptables and ip6tables rules to these firewalld understandable XML file format?

Responses

Using iptables, shouldn't be any different with IPv6 except use ip6tables like you said:

Using firewalld:

Appreciate your input. Is there any restriction/constraint with IPv6 NAT rules? For instance, the below mentions that IPv6 was not designed for NAT. http://www.admin-magazine.com/Archive/2014/20/IPv6-Tables The kernel version is 3.10 and ip6tables version is v1.4.21.

You are correct, IPv6 was not originally designed for NAT. Despite multiple IEEE recommendations not to implement IPv6 NAT and instead to use IPv6 properly, someone went and invented IPv6 NAT anyway. So now we have IPv6 NAT.

I imagine there are differences in iptables NAT rules between IPv4/IPv6, but I don't know any off the top of my head.

If you have a specific command you're unable to apply, feel free to sanitise the IPs and post the command here, or a support case could be more appropriate if you'd like issue ownership and an SLA on response time.

Thanks Jamie! I am looking to understand the options available to migrate from iptables and ip6tables to firewalld service. From RHEL documentation, I understand that firewall-offline-cmd tool is available for migrating from iptables to firewalld if the iptables rules were effected using system-config-firewall graphical tool.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/migration_planning_guide/sect-red_hat_enterprise_linux-migration_planning_guide-security_and_access_control

However, we have been implementing iptables rules by statically populating the rules list and enforcing it using iptables-restore or ip6tables-restore. It appears the only way to migrate these rules to firewalld is using manual approach. Is there an easier approach to use the rules list which were populated for iptables and ip6tables to migrate to firewalld?

I don't know of such a tool sorry. I imagine you'd have to look at what the rules are doing, consider which zones which interfaces/IPs are in, and create a new firewalld ruleset from scratch.

Depending on your needs, you might want to reconsider the move.

firewalld is a zone-based incoming-only firewall, it's not designed to filter outbound traffic. So if your iptables rules also filter outbound, perhaps firewalld doesn't meet your needs.

firewalld does have the direct rule syntax, which simply takes iptables-style rules and applies those along with the other incoming zone-based rules. You can apply outbound rules this way but it offers no advantage over iptables.

You can still use iptables on RHEL7, that's no problem.

RHEL8 includes nftables which can cope with complex rulesets like iptables and also offers better performance than iptables with much more flexibility and handy rule implementations:

In RHEL7, firewalld uses iptables as its backend. If you configure some things with firewalld then iptables -nvxL you'll see the rules as firewalld implements them. This means you cannot use iptables on its own while firewalld is on, as firewalld is managing iptables as a sort of state machine.

In RHEL8, firewalld moves to using nftables as its backend, and only applies direct rules using iptables. I imagine there's plans to move the direct rules to nft as well. firewalld also creates its own table within nft, so others can apply other nft rules along side the firewalld rules. There's no longer that monopoly on the underlying firewall backend.

Long story short, perhaps you're better sticking with iptables for EL7 and migrating to nftables for EL8?

I am aware there are ipt-to-nft migration tools but I've never played with them: