Darnit, forgot to mention, that if I change policy to accept, I can ping it on ipv6, so there is no upstream tampering. On 4/4/13, Nick Edwards <nick.z.edwards@xxxxxxxxx> wrote: > On 4/4/13, Michal Kubeček <mkubecek@xxxxxxx> wrote: >> >> >> Hard to say unless you tell us what do your rules look like and what >> packets are dropped (and you think they shouldn't be). > > ok, copy and paste with only minor munging > > > #!/bin/sh > /usr/sbin/iptables -F > /usr/sbin/ip6tables -F > > /usr/sbin/iptables -P INPUT DROP > /usr/sbin/ip6tables -P INPUT DROP > > /usr/sbin/iptables -P OUTPUT ACCEPT > /usr/sbin/ip6tables -P OUTPUT ACCEPT > > /usr/sbin/iptables -P FORWARD DROP > /usr/sbin/ip6tables -P FORWARD DROP > > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > /usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT > /usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT > /usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT > > /usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT > /usr/sbin/iptables -A INPUT -s 178.x.x.x/24 -j ACCEPT > /usr/sbin/ip6tables -A INPUT -s 2001:c01d:c01d:beef::0/64 -j ACCEPT > > /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > /usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > I can reach this machine from 178.x.x.x as normal. I can ssh in, and ping > it > > however, when I come from the ipv6 range, I can ssh in, but I can not ping > it. > > There are no other conditions in play on this remote machine, what you > see is what is there > So I dont get why when _range_ ACCEPT works for all protocols on > ipv4, but it doesnt with ipv6 > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
