(resending, it seems I forgot to CC the list) (and again, it seems gmail put some HTML into the last post from me :-( ) One more thing: Where is the timeout for this set ? After the mentioned ping, the world can contact me for hours. I want to lower the timeout to a minute or so, so I can test the setting without the need to wait hours for the timeout to happen. Thanks, David 2009/6/19 Benedikt Gollatz <ben@xxxxxxxxxxxxxxxxxxxxxxxxxx>: > On Friday 19 June 2009, 10:31 David Balažic wrote: >> I have set up a (SixXS[1]) IPv6 tunnel on my linux router and have the >> problem, that after a while I become unavailable over IPv6 for the >> outside world. >> Then I I perform some IPv6 activity, like "ping6 ipv6.google.com" I >> become accessible again for a while. > > This indeed sounds like netfilter is dropping proto-41 packets when the > connection tracker thinks that your connection has timed out. > >> A SixXS FAQ entry[2] suggests adding an iptables rule: >> iptables -t nat -A POSTROUTING --proto ! 41 -o [Your IPv4 Interface] >> -j MASQUERADE >> >> This way I get (iptables -t nat -L ...): >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> postrouting_rule all -- anywhere anywhere >> MASQUERADE all -- anywhere anywhere >> MASQUERADE !ipv6 -- anywhere anywhere # the added rule >> >> I am not an iptables expert, but to me it seems the first MASQUERADE >> rule matches all packets and the new one does not make any difference. >> Can someone confirm that ? > > That's absolutely true. The rule from the FAQ is meant to replace your > original rule, exempting proto-41 traffic from masquerading and thus > connection tracking. > > Benedikt > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
