Jay Cliburn wrote:
Before I go much further in investigating this, I'd like to ask if
anyone has successfully used IPv6 under rawhide?
I can ssh over IPv6 between FC5 and Centos 4.3 boxes, but any attempt to
ssh using v6 to or from a rawhide machine doesn't work. I haven't
gotten any details yet, other than an odd packet in an ethereal capture
that I executed on an FC4 machine while trying to connect IPv6 from a
rawhide machine to the FC4 machine. The frames shown below represent
the TCP 3-way handshake for the session, but the last frame seems to
indicate that the ssh client is ACKing a frame it hasn't yet seen.
After a week of tracing IPv6 packets through the kernel, this problem
turned out to be caused by ip6tables blocking inbound IPv6 packets,
despite rules to allow such traffic. (I wasn't even aware ip6tables was
running, but I can't say for sure I didn't enable it when I installed
FC6.) Here's the default rawhide ip6tables file, with a rule I added to
log dropped packets.
[root@osprey ~]# cat /etc/sysconfig/ip6tables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
And here's what's logged when a remote host tries to initiate an ssh
session to this host over ipv6. The SYN packet is dropped.
Jul 30 13:15:31 osprey kernel: IN=eth0 OUT=
MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd
SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb
DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64
FLOWLBL=0 PROTO=TCP SPT=39300 DPT=22 WINDOW=5760 RES=0x00 SYN URGP=0
A similar thing happens when an outbound ssh session is attempted from
this host. The SYN-ACK packet from the remote host is dropped.
Jul 30 13:27:10 osprey kernel: IN=eth0 OUT=
MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd
SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb
DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64
FLOWLBL=0 PROTO=TCP SPT=22 DPT=49029 WINDOW=5712 RES=0x00 ACK SYN URGP=0
According to netfilter.org [1], ip6tables can't do stateful packet
filtering, so the default rules supplied for FC6 are not correct. I'd
BZ this, but there's no ip6tables category in Redhat's bugzilla.
[1] http://www.netfilter.org/
Main Features
* stateless packet filtering (IPv4 and IPv6)
* stateful packet filtering (IPv4)
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list