Hi, From: Undertacker <undertacker@xxxxxxxxxxxxxxxxx> Date: Thu, 23 Feb 2006 11:11:00 +0100 > Dear All > I have some problem with applying a state match rules for ipv6 connections. > > Iʼm using a debian unstable with 2.6.16-rc4 kernel. > This is my ipv6 configuration:(/etc/network/interfaces) > > auto btexact00 > iface btexact00 inet6 v4tunnel > address 2001:618:400:c23b:ffff:ffff:ffff:ffff > netmask 128 > gateway fe80::d579:1855 > endpoint 213.121.24.85 > local 85.88.200.10 > ttl 254 > ipv6 allocation is 2001:618:400:c23b::/64 > for now Iʼm using only a btexact00 interface for ipv6 output to internet. > there is also a second interface eth1 for LAN distribution of ipv6 > support. Sorry I'm not familiar with debian, but this box is router, isn't this ? > It is not long that Iʼm using a linux ( just about 6 months) so please > forgive me if I done some stupid configuration. > > this is my ip6tables configuration: > cat /etc/iptables.conf/ip6tables-roule.conf > # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 > *filter > :INPUT DROP [188:18904] > :FORWARD DROP [0:0] > :OUTPUT DROP [9:728] > :btexact00_in - [0:0] > :btexact00_out - [0:0] > :eth1_in - [0:0] > :eth1_out - [0:0] > -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in > -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in > -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out > -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out > -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j > ACCEPT > -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j > ACCEPT > COMMIT > # Completed on Thu Feb 23 10:55:57 2006 > # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 > *mangle > :PREROUTING ACCEPT [195:19632] > :INPUT ACCEPT [195:19632] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [195:19784] > :POSTROUTING ACCEPT [186:19056] > COMMIT > # Completed on Thu Feb 23 10:55:57 2006 At first, this configuration will cause to drop ICMPv6 packets for address autoconfiguration in your LAN if you run radvd on this box. > finaly I came to my question: > for some kind of reason the roule: > -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j > ACCEPT > donʼt match that king of traffic. > (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0 > -j LOG" log output all the traffic) If this box is router and you want to use state match for forwareded packets, you need to configure FORWARD chain. And please "modprobe nf_conntrack_ipv6" manually. For some reason, it isn't auto-loaded and we have to defer to improve this until 2.6.17. > I was tray several times to reconfigure all ip6tables supposing that > this was an configuration problem , but the configuration to me seems ok. > Please can you help me? > Best Regards > Undertacker > > P.S. > Iʼm so sorry for my English, I hope you understand this mail. -- Yasuyuki Kozakai
