I have a Linux router without an ipv6 stack and a Linux host inside the NAT. How do I use iptables to forward 6to4 traffic back and forth between the NAT router and the host and then configure the 6to4 tunnel on the host using the router's public IPv4 address?
This recipe (on the router) gets an ipv6 ping to the host's eth0 but they don't make it onto the tun6to4 interface. Wireshark says "ICMP Destination unreachable (Port unreachable)" as an ipv4 response to the 6to4 ping.
# inbound destination NAT for IPv6 tunnel. ppp0 is router's WAN interface.
iptables -t nat -A PREROUTING -i ppp0 -p 41 -j DNAT --to 192.168.1.100
# inbound forwarding for IPv6 tunnel
iptables -t filter -A FORWARD -i ppp0 -p 41 -d 192.168.1.100 -j ACCEPT
I am using this script on the Linux host, passing the router's public ip:
#!/bin/bash
### Get the global IPv4 address for your host from the command line:
GLOB_IP4=$1
### Compute the 6TO4 tunnel IPv6 address:
GLOB_IP6TO4=$(printf "2002:%02x%02x:%02x%02x::1" $(echo $GLOB_IP4 | tr . ' '))
### Setup the tunnel
ip tunnel add tun6to4 mode sit remote any local $GLOB_IP4 ttl 64
ip link set dev tun6to4 up
ip addr add $GLOB_IP6TO4/16 dev tun6to4
ip route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
iptables -t nat -A PREROUTING -d 192.0.2.75 -p 41 -j DNAT --to 10.0.0.2on the router should do the trick, assuming that all flows are initiated from outside to your IP address (given as192.0.2.75in this example). If your IPv6-capable box starts things, then regular catch-all SNAT rules should do the trick.The Secret Sauce
I thought the local tunnel address would affect 6to4 encapsulation and would have to be my global IPv4 address.
It had to be the host's address, in my case 192.168.1.100. Leaving everything else the same, it works!