Hmm, I replaced the rule as suggested, but something still does not
work correctly.
Any idea ?
Is there a way to check currently active tracked "connection" and see
there some clues as to what additional
rule(s) I need ?
Here is my current output of "iptables -t nat -L -v " :
Chain NEW (1 references)
pkts bytes target prot opt in out source destination
50876 4029K RETURN all -- any any anywhere
anywhere limit: avg 50/sec burst 100
0 0 DROP all -- any any anywhere anywhere
Chain PREROUTING (policy ACCEPT 1895K packets, 199M bytes)
pkts bytes target prot opt in out source destination
50876 4029K NEW all -- any any anywhere
anywhere state NEW
50876 4029K prerouting_rule all -- any any anywhere
anywhere
9546 1060K prerouting_wan all -- ppp0 any anywhere
anywhere
Chain POSTROUTING (policy ACCEPT 168K packets, 12M bytes)
pkts bytes target prot opt in out source destination
40337 3020K postrouting_rule all -- any any anywhere
anywhere
39964 2984K MASQUERADE !ipv6 -- any ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 17461 packets, 2006K bytes)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan (1 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:21
16 864 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:22
7 336 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:24
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:110
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:230
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:4500
(and a few port forwarding for the LAN here)
And the "iptables -L -v" output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
32 4264 DROP all -- any any anywhere
anywhere state INVALID
23403 2529K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
81 3240 DROP tcp -- any any anywhere
anywhere tcp option=!2 flags:SYN/SYN
17118 1689K input_rule all -- any any anywhere anywhere
9236 1045K input_wan all -- ppp0 any anywhere anywhere
17094 1688K LAN_ACCEPT all -- any any anywhere anywhere
19 1300 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT gre -- any any anywhere anywhere
1136 57040 REJECT tcp -- any any anywhere
anywhere reject-with tcp-reset
9856 1051K REJECT all -- any any anywhere
anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 21 packets, 1008 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere
anywhere state INVALID
50766 2459K TCPMSS tcp -- any any anywhere
anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
2626K 2096M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
36511 2559K forwarding_rule all -- any any anywhere
anywhere
377 19604 forwarding_wan all -- ppp0 any anywhere
anywhere
0 0 ACCEPT all -- br0 br0 anywhere anywhere
36134 2540K ACCEPT all -- br0 ppp0 anywhere anywhere
Chain LAN_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
9212 1044K RETURN all -- ppp0 any anywhere anywhere
1799 64764 RETURN all -- vlan1 any anywhere anywhere
6083 579K ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere
anywhere state INVALID
33066 5111K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
4131 488K output_rule all -- any any anywhere anywhere
4131 488K ACCEPT all -- any any anywhere anywhere
0 0 REJECT tcp -- any any anywhere
anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere
anywhere reject-with icmp-port-unreachable
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere
192.168.200.20 tcp dpt:13789
0 0 ACCEPT udp -- any any anywhere
192.168.200.20 udp dpt:41234
0 0 ACCEPT tcp -- any any anywhere
192.168.200.20 tcp dpt:7234
135 7988 ACCEPT tcp -- any any anywhere
192.168.200.21 tcp dpt:44210
0 0 ACCEPT tcp -- any any anywhere
192.168.200.21 tcp dpt:59876
0 0 ACCEPT udp -- any any anywhere
192.168.200.21 udp dpt:58932
0 0 ACCEPT tcp -- any any anywhere
192.168.200.20 tcp dpt:1194
0 0 ACCEPT udp -- any any anywhere
192.168.200.20 udp dpt:1194
0 0 ACCEPT tcp -- any any anywhere
192.168.200.20 tcp dpt:3389
0 0 ACCEPT tcp -- any any anywhere
192.168.200.120 tcp dpt:23966
0 0 ACCEPT tcp -- any any anywhere
192.168.200.95 tcp dpt:5001
0 0 ACCEPT udp -- any any anywhere
192.168.200.95 udp dpt:5002
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:21
16 864 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:22
7 336 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:24
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:110
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:230
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:4500
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Maybe add a ACCEPT rule for proto 41 in rule "input_wan" ?
Thanks for any help!
David
2009/6/19 David Balažic <xerces9@xxxxxxxxx>:
> Hi!
>
> I have set up a (SixXS[1]) IPv6 tunnel on my linux router and have the
> problem, that after a while I become unavailable over IPv6 for the
> outside world.
> Then I I perform some IPv6 activity, like "ping6 ipv6.google.com" I
> become accessible again for a while.
>
> A SixXS FAQ entry[2] suggests adding an iptables rule:
> iptables -t nat -A POSTROUTING --proto ! 41 -o [Your IPv4 Interface]
> -j MASQUERADE
>
> This way I get (iptables -t nat -L ...):
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> postrouting_rule all -- anywhere anywhere
> MASQUERADE all -- anywhere anywhere
> MASQUERADE !ipv6 -- anywhere anywhere # the added rule
>
> I am not an iptables expert, but to me it seems the first MASQUERADE
> rule matches all packets and the new one does not make any difference.
> Can someone confirm that ?
>
>
> More info:
>
> kernel 2.4.30 (OpenWRT 1.0 - update is not really an option, unfortunately)
> iptables v1.3.3
>
> tunnel set up by AICCU 2007.01.15-console by Jeroen Massar
> tunnel config excerpt:
>
> # Protocol and server to use for setting up the tunnel (defaults: none)
> #protocol <tic|tsp|l2tp>
> #server <server to use>
> protocol tic
> server tic.sixxs.net
>
> ipv6_interface sixxs
>
> Tunnel type: 6in4-heartbeat
>
> Regards,
> David
>
>
> [1] https://www.sixxs.net/
> [2] https://www.sixxs.net/faq/connectivity/?faq=conntracking
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
