On Thu, Oct 02, 2003 at 01:10:09PM +0200, Wouter Vanwalleghem wrote: > hi all, > > I have setup a 6-in-4 tunnel which is giving me head-aches. > FYI, I use kernel 2.4.21 and iptables 1.2.8. > > As soon as I start using the tunnel the output of "cat > /proc/net/ip_conntrack" shows a protocol 41 connection between my > firewall and the IPv4 PoP of the tunnelbroker. > OK so far. yup. That's how it is on my 6to4 tunnel gateway, too. > Thing is that the tunnel "dies" as soon as the connection has > disappeared from the connection tracking table. > > After some research I followed a suggestion to keep the tunnel from > being connection tracked. impossible with stock iptables. > However, the following iptables rules do not prevent the tunnel from > popping up in the connection tracking table: > > > #####------------ IPv6 tunnel to SixXS----- > iptables -A INPUT -p 41 -s tunnelserver.concepts-ict.net -j ACCEPT > iptables -A OUTPUT -p 41 -d tunnelserver.concepts-ict.net -j ACCEPT > iptables -A INPUT -p icmp --icmp-type echo-request -s > tunnelserver.concepts-ict.net -j ACCEPT > iptables -t nat -A POSTROUTING --protocol ! 41 -s 192.168.100.0/24 -o > ppp0 -j MASQUERADE Why should this prevent connection tracking from tracking the tunnel? Connection tracking always tracks all packets, as described in the docs. It's just a quesion on whether you want to use the information provided by conntrack or not. And this totally depends on your ruleset. > Anybody have a clue? This has to be somehow related to your local setup/configuration. I am running 6to4 tunnels on a lot of firewalls without any problems. > kind regards, > Wouter -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00575.pgp
Description: PGP signature
