On Friday 19 June 2009, 10:31 David Balažic wrote: > I have set up a (SixXS[1]) IPv6 tunnel on my linux router and have the > problem, that after a while I become unavailable over IPv6 for the > outside world. > Then I I perform some IPv6 activity, like "ping6 ipv6.google.com" I > become accessible again for a while. This indeed sounds like netfilter is dropping proto-41 packets when the connection tracker thinks that your connection has timed out. > A SixXS FAQ entry[2] suggests adding an iptables rule: > iptables -t nat -A POSTROUTING --proto ! 41 -o [Your IPv4 Interface] > -j MASQUERADE > > This way I get (iptables -t nat -L ...): > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > postrouting_rule all -- anywhere anywhere > MASQUERADE all -- anywhere anywhere > MASQUERADE !ipv6 -- anywhere anywhere # the added rule > > I am not an iptables expert, but to me it seems the first MASQUERADE > rule matches all packets and the new one does not make any difference. > Can someone confirm that ? That's absolutely true. The rule from the FAQ is meant to replace your original rule, exempting proto-41 traffic from masquerading and thus connection tracking. Benedikt -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
