all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Some more complex devices (service providers) have a iptables firewall installed with:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.
Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?
Thank you
EDIT 20181118: RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.
