Vidya Ravipati a écrit :
Yes, of course. iptables and ip6tables are mostly independent, as IPv4
and IPv6 are on any dual stack machine (with restrictions due to
IPv4-mapped addresses).
Can you mention what are the restrictions on the dual stack machine with
IPv4 mapped addresses
IPv4-mapped addresses are special IPv6 addresses used to represent IPv4
addresses. They have the prefix ::ffff:0:0/96, and the last 8 digits are
the hexadecimal representation of the IPv4 address. They also have a
special human-readable representation. For example the IPv4-mapped IPv6
address for 127.0.0.1 is "::ffff:7f00:1" or "::ffff:127.0.0.1".
On IPv4+IPv6 dual stack Linux hosts, by default, IPv6 sockets can also
be used for IPv4 communications. IPv4-mapped IPv6 addresses are used to
communicate with a remote IPv4 host using a local IPv6 socket. An IPv6
socket listening on :: (any local IPv6 address) can also accept IPv4
communications and will see the IPv4-mapped addresses (beware with ACL).
These communications use IPv4-mapped IPv6 addresses at the IPv6 socket
level and real IPv4 addresses at network level, so the real network
traffic is IPv4 and only iptables will see it, not ip6tables.
Other operating systems may have different default behaviours. On Linux,
the default behaviour can be changed with the kernel parameter
(/proc/sys/)net/ipv6/bindv6only. When set to 1, new IPv6 sockets are be
limited to "pure" IPv6 communications and cannot use IPv4-mapped
addresses, so IPv4 and IPv6 are completely independent.
I think you should find a lot of more detailed documentation on the web,
but I don't have any pointer right now.
