Listen address/listen on ipv6

[jeroen...@gmail.com]

Hi,

As my setup is kind of special on raspberry the litsten address is kind of "limited"

If I set listen to 0.0.0.0 NXfilter can not start as there is already dnsmasq on another interface. Yes I know, no sane person has 2 dns services on a computer, but I do:)

I can dedicate it to a fixed ip4 (192.168.1.4) and it works flawlessly, but I would like NXfilter to listen to ipv6.

Ipv6 is growing and my isp serves native ipv6

When I enable IPv6 on my router, most machines get the DNS from isp through router advertising and thus bypassing nxfilter.

I can set a manual DNS, but I can not get nxfilter to listen on this ipv6 address as I need to limit it to ipv4 (listen address)

So doing an nslookup results in failure.

So basic question: instead of listing on ip, could it be possible to listen on interface? (eth4 in my case) or make extra possible listen on:

listen: 192.168.1.4, 2002.1234,5678,aaaa,bbbb,ccccc,etc

If this is not at all possible:

Is there any linux specialist that can tell me how to do a port forwarding from ipv6 port 53 (udp and tcp) to 192.168.1.4

So faking a ipv6 dns server. I know nxfilter will give the correct answer regarding the ipv6 requests.

Not sure if this works, but it might be worth a test

Thanks already,

Jeroen

[Jinhee]

Did you set this on 'startup.sh' to false?

   java -Djava.net.preferIPv4Stack=true

[jeroen...@gmail.com]

Hi and no,

Can do that, but what does this change for listen address?

Will nxfilter listen on ipv6 port if I set that?

Currently I can not set listen = 0.0.0.0 as it will try to listen on all interfaces.

So I have listen=192.168.1.4 with in my point of view does not tell nxfilter to listen on 1234:4567:8910:0000:0000:0000:0000 (fake ipv6 example)

Are we talking about the same with that java agrument?

[Jinhee]

I don't know about your situation but NxFilter ignores IPv6 connection at default. So you need to make it listening for IPv6 client first.

[jeroen...@gmail.com]

And how do i do that?

With the java agrument?

I can set that, but in config file I have listen to: 192.168.1.4.

How does nxfilter know to listen on ipv6 also?

Can not set listen .0.0.0.0 as in that case startup reports port is busy. Correct in my case as I have another dns on 192.168.1.2 port 53 running.

[Jinhee]

What I am saying is that it might not be related to your IPv4 listening setup. So actually, I am not so sure. But you can try that on 'startup.sh'. Just replace 'true' to 'false'.

[jeroen...@gmail.com]

Just changed the startup.sh: not listening on ipv6, only on ipv4 Also changed config to listen:0.0.0.0. Same: only responding to ipv4, not listening on the ipv6 part of the nic.

Is there a way to change the config to have the program listen to interface instead of ip4 only?

Forget my setup and keep this question general: Is there a way to bind nxfilter to both ipv6 and ipv4 ? Like dnsmasq can?

See this:

C:\Users\Jeroen>nslookup
Default Server:  UnKnown
Address:  2002:c0a8:102::4

> www.google.nl
Server:  UnKnown
Address:  2002:c0a8:102::4

*** UnKnown can't find www.google.nl: No response from server
> server 2002:c0a8:102::1
Default Server:  [2002:c0a8:102::1]
Address:  2002:c0a8:102::1

> www.google.nl
Server:  [2002:c0a8:102::1]
Address:  2002:c0a8:102::1

Name:    www.google.nl
Address:  216.239.38.120

> server 192.168.1.4
Default Server:  [192.168.1.4]
Address:  192.168.1.4

> www.google.nl
Server:  [192.168.1.4]
Address:  192.168.1.4

Non-authoritative answer:
Name:    forcesafesearch.google.com
Address:  216.239.38.120
Aliases:  www.google.nl

> server 192.168.1.2
Default Server:  wpad.noads.local
Address:  192.168.1.2

> www.google.nl
Server:  wpad.noads.local
Address:  192.168.1.2

Name:    www.google.nl
Address:  216.239.38.120

>

192.168.1.2: dnsmasq running on eth0 ipv4: works for ipv4

192.168.1.4: NXFilter running on eth4 ipv4: works for ipv4

[2002:c0a8:102::1]: dnsmasq running on eth0 ipv6: works for ipv6

[2002:c0a8:102::4]: NXFilter NOT running on eth4: does NOT work for ipv6

How can I get nxfilter to listen on ipv6?

[Jinhee]

So you set the value to 'false'?

  java -Djava.net.preferIPv4Stack=false

When I set it to 'false' and set my DNS server to NxFilter using its IPv6 address,

DEBUG [2017-08-01 07:12:52] - RHr, RH #5, ammonia.daum.net, rqSize= 0, rDc = 1, rTtl = 0, rType = 1.

DEBUG [2017-08-01 07:12:52] - RHr, RH #6, www.daum.net, rqSize= 0, rDc = 1, rTtl = 0, rType = 1.

DEBUG [2017-08-01 07:12:52] - RHr, Login redirection for fe80:0:0:0:ac2c:4d45:abd:9a75%10.

DEBUG [2017-08-01 07:12:52] - RHr, Login redirection for fe80:0:0:0:ac2c:4d45:abd:9a75%10.

DEBUG [2017-08-01 07:12:55] - RHr, RH #7, bbs.miznet.daum.net, rqSize= 0, rDc = 1, rTtl = 0, rType = 1.

DEBUG [2017-08-01 07:12:55] - RHr, RH #8, dwarfs.tistory.com, rqSize= 0, rDc = 1, rTtl = 0, rType = 1.

DEBUG [2017-08-01 07:12:55] - RHr, Login redirection for fe80:0:0:0:ac2c:4d45:abd:9a75%10.

DEBUG [2017-08-01 07:12:55] - RHr, RH #1, gadgetstory.tistory.com, rqSize= 0, rDc = 1, rTtl = 0, rType = 1.

See the login redirection part?

  Login redirection for fe80:0:0:0:ac2c:4d45:abd:9a75%10.

That happens as it can't find IPv6 association on NxFilter. So it listens on IPv6 address. We just made it listening only on IPv4 at default. And in this forum,

many people talking about IPv6 redirection. Why would we talk about it if it can't listen on IPv6?

[jeroen...@gmail.com]

Ok......

Can I assume the answer to this question : "does nxfilter listen on ipv6" = yes, provided you set  java -Djava.net.preferIPv4Stack=false

(forget my wierd setup: on a standard install the answer is yes...?)

No clue what you mean by login redirection by the way. How should I translate that? Is that a setting in the gui I should populate to (in my case: 2002:c0a8:102::4

Now back to the initial post:

Can I set "listen to" ipv6 address or listen to device?

[Jinhee]

You only get IPv6 IP address as a client IP address when you listen on IPv6 address. 

[jeroen...@gmail.com]

Hi,

Sorry for my Dutch:

What kind of answer is this...?

Any possibility I can get a normal answer on my question: how can I set NXfilter to listen to ipv6?

[jeroen...@gmail.com]

To explain: how can I get NXfilter to listen on IPv6 in combination with listen to.

[Jinhee]

"You only get IPv6 IP address as a client IP address when you listen on IPv6 address" <- This means that when I show you the client redirection with IPv6 IP address, it's only possible when it's listening on IPv6. Otherwise it can't get an IPv6 IP address as its client IP address.

And this option,

  java -Djava.net.preferIPv4Stack=true

It's on Java level. We set it 'true' as we only listen on IPv4 at default. But if you set it to 'false' you should be listening on IPv6.

If you set it to 'false' as you said, it should be listening on IPv6. I don't know how you tested it though. Try the easiest step first. Run NxFilter with that option 'false' and on the same machine access it using IPv6 address.

[jeroen...@gmail.com]

How do I set listen_ip= to ipv6? in cfg.properties?

[Jinhee]

It's on Java level.

   java -Djava.net.preferIPv4Stack=true <- This means that we prefer IPv4 and ignore IPv6

So you set it to 'false' and restart it then it should be listening on IPv6. We don't allow/disallow on NxFilter side.

[jeroen...@gmail.com]

I understand that, but I can not start with ipv6 as it tries to bind port 53 on all adapters ipv6

If I disable dnsmasq I can start.

This is an indication that ipv6 is started by nx filter on all interfaces.

If dnsmasq is running I get java exeption startup error: cannot bind to port 53: already in use

So again: how can I set the listen_ip for ipv6 in cfg.properties.

For ipv4 this works fine. Now I am looking for the same for ipv6

[Jinhee]

We don't have it for IPv6 yet.

[jeroen...@gmail.com]

ah   :)

No wonder I could not get this working

[jeroen...@gmail.com]

Until that time for anyone that has similair issue on raspberry/ux

A temp workaround until listen_ip ipv6 is implemented:

apt-get install socat

sudo socat UDP6-RECVFROM:53,fork,bind=[2002:c0a8:102::4] UDP4-SENDTO:192.168.1.4:53

sudo socat UDP6-RECVFROM:5355,fork,bind=[2002:c0a8:102::4] UDP4-SENDTO:192.168.1.4:5355

sudo socat TCP6-LISTEN:53,fork,bind=[2002:c0a8:102::4] TCP4:192.168.1.4:53

sudo socat TCP6-LISTEN:80,fork,bind=[2002:c0a8:102::4] TCP4:192.168.1.4:80

Hint:You could put the socat lines above in rc.local

Where in my case:

[2002:c0a8:102::4] = ipv6 local address where nxfilter

192.168.1.4=ipv4 local address

There is 1 (small) issue with this: nxfilter sees for all dns lookups the same IP (in my case 192.168.1.4) so NX policies based on ip will fail/work not as expected.

Until Jinhee fixes the listen_ip (if he has time or need this seems to be the only workaround with 2 dnsservers on 1 device with multiple nics.

When using lightpd: (read PIHOLE)

in lighttpd.conf

# default listening port for IPv6 falls back to the IPv4 port

# Exclude this one!!!# include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port

Before running the redirect for tcp6 port 80

And then create your own socat TCP6-LISTEN:80,fork,bind=[xxx:xxx:etc::etc] TCP4:123.456.789.0:80 if you need lightpd to listen to ipv6

In my case:sudo socat TCP6-LISTEN:80,fork,bind=[2002:c0a8:102::1] TCP4:192.168.1.2:80

Als be aware that a pihole -up or -r will reset lighttpd.conf

And here we go on ipv6:

C:\Users\Jeroen>nslookup

Default Server:  UnKnown

Address:  2002:c0a8:102::4

> www.youtube.com

Server:  UnKnown

Address:  2002:c0a8:102::4

Non-authoritative answer:

Name:    youtube-ui.l.google.com

Addresses:  2a00:1450:4016:809::200e

          172.217.22.206

Aliases:  www.youtube.com

> www.porn.nl

Server:  UnKnown

Address:  2002:c0a8:102::4

Non-authoritative answer:

Name:    www.porn.nl

Addresses:  2002:c0a8:102::4

          192.168.1.4

>so porn.nl is nicely blocked by the filter.

Jeroen