# ----
# SiteDE : AC Acces Concentrator IP (serveur respondeur)
# SiteUK : (server initiator)
# SiteFR : (server initiator)
# ----
# 2024 03 24
#------------------


SiteUK <> SiteDE (AC) - OK ping
SiteUK <> SiteDE (AC) - OK services

SiteDE (AC) <> SiteUK - OK ping
SiteDE (AC) <> SiteUK - OK services

#--- AND

SiteUK <> SiteDE (AC) <> SiteFR - OK ping
SiteUK <> SiteDE (AC) <> SiteFR - OK services

#--- AND

SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR - OK ping
SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR - OK services

SubNetUK <> SiteUK <> SiteDE (AC) <> SiteFR - OK ping
SubNetUK <> SiteUK <> SiteDE (AC) <> SiteFR - OK services

#-

SiteFR <> SiteDE (AC) <> SiteUK <> SubNetUK - OK ping
SiteFR <> SiteDE (AC) <> SiteUK <> SubNetUK - OK services

SubNetFR <> SiteFR <> SiteDE (AC) <> SiteUK - OK ping
SubNetFR <> SiteFR <> SiteDE (AC) <> SiteUK - OK services

#--- AND

SubNetUK <> SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR - OK ping
SubNetUK <> SiteUK <> SiteDE (AC) <> SiteFR <> SubNetFR - OK services

SubNetFR <> SiteFR <> SiteDE (AC) <> SiteUK <> SubNetUK - OK ping
SubNetFR <> SiteFR <> SiteDE (AC) <> SiteUK <> SubNetUK - OK services

#------------------

Checking my firewall for optimasation..

https://howto.zw3b.fr/linux/securite/comment-faire-un-reseau-ipv6-firewall-icmpv6

Exemple Firewall ULA and SWAN open :

#####
# we set the rules for local IPv6 addresses
#####

function ipv6_ula()
{
        echo "   |";
        echo "   + IPv6 - Addrs Unique Locale Area -----------------------";

        # Allow Link-Local addresses
        # network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

        echo "   |\\\\";
        $IP6TABLE -A INPUT -s fc00::/7 -j ACCEPT
        $IP6TABLE -A FORWARD -s fc00::/7 -d fc00::/7 -j ACCEPT
        $IP6TABLE -A OUTPUT -d fc00::/7 -j ACCEPT
        echo "   | +--> "fc00::/7 : ACCEPT;
        echo "   | |";
        echo "   |" + IPv6 - Addrs Unique Locale Area : [OK]

}

function ipv6_multicast()
{
        echo "   |";
        echo "   + IPv6 - Addrs Multicast -----------------------";

        # Allow multicast
        # network range : ff00:0000:0000:0000:0000:0000:0000:0000-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

        echo "   |\\\\";
        $IP6TABLE -A INPUT -d ff00::/8 -j ACCEPT
        $IP6TABLE -A FORWARD -s ff00::/8 -d ff00::/8 -j ACCEPT
        $IP6TABLE -A OUTPUT -d ff00::/8 -j ACCEPT
        echo "   | +--> "ff00::/8 : ACCEPT;
        echo "   | |";
        echo "   |" + IPv6 - Addrs Multicast : [OK]
}

function ipv6_link_local()
{
        echo "   |";
        echo "   + IPv6 - Addrs Link-Local Unicast -----------------------";

        # Allow Link-Local addresses
        # network range : fe80:0000:0000:0000:0000:0000:0000:0000-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

        echo "   |\\\\";
        $IP6TABLE -A INPUT -s fe80::/10 -j ACCEPT
        $IP6TABLE -A FORWARD -s fe80::/10 -d fe80::/10 -j ACCEPT
        $IP6TABLE -A OUTPUT -d fe80::/10 -j ACCEPT
        echo "   | +--> "fe80::/10 : ACCEPT;
        echo "   | |";
        echo "   | "+ IPv6 - Addrs Link-Local : [OK]

}

#####
# we set the rules for secure local IPv6 addresses (VPN/strongSwan)
#####

function ipv6_strongswan()
{
        # Default ------------------
        echo "   |";
        echo "   + IPv6 - Addrs Site-Local Secure Area Network -------------------------";

        # Allow  Secure Area Network addresses
        # network range : fec0:0000:0000:0000:0000:0000:0000:0000-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

        echo "   |\\\\";
        $IP6TABLE -A INPUT -s fec0::/10 -j ACCEPT
        $IP6TABLE -A FORWARD -s fec0::/10 -d fec0::/10 -j ACCEPT
        $IP6TABLE -A OUTPUT -d fec0::/10 -j ACCEPT
        echo "   | +--> "fec0::/10 : ACCEPT;
        echo "   | |";
        echo "   | "+ IPv6 - Addrs Secure Area Network : [OK]

        # Add ------------------

        echo "   |";
        # Allow  Forwarding SLAN (fec0::/10) <> ULA (fc00::/7)
        # network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

        echo "   + IPv6 - Forwarding Addrs SWAN 2 ULA Networks -------------------------";
        echo "   |\\\\";
        $IP6TABLE -A FORWARD -s fec0::/10 -d fc00::/7 -j ACCEPT
        $IP6TABLE -A FORWARD -d fec0::/10 -s fc00::/7 -j ACCEPT
        echo "   | +--> fec0::/10 <?> fc00::/7 : ACCEPT";
        echo "   | |";
        echo "   | "+ IPv6 - Forwarding Addrs SWAN 2 ULA Networks : [OK]
        echo "   |";

}

function nat_v6()
{
	WAN_IF=eth0
	LXC_WEB="fc00::15:1:a:10"

        # NET FOR LXC EXCEPT TO THE ULA (fc00::/7) NETWORK
        $IP6TABLE -t nat -A POSTROUTING -o $WAN_IF -s $LXC_WEB ! -d fc00::/7 -j MASQUERADE

        echo "   "+ NAT : [OK]
}

#------------------

# To deprecate IPv6 GUA so that outgoing requests (from the machine) use ULAs

# ip -6 addr add 2001:db8::15:1:a:10/128 dev eth0
# ip -6 addr add fc00::15:1:a:10/128 dev eth0
# ip -6 addr change 2001:db8::15:1:a:10/128 dev eth0 preferred_lft 0