Hi. I usually have some default rules in place on all nodes which look about like this: --------------------- -A INPUT --in-interface lo -j ACCEPT -A OUTPUT --out-interface lo -j ACCEPT -A INPUT -m state --state UNTRACKED -j DROP -A FORWARD -m state --state UNTRACKED -j DROP -A OUTPUT -m state --state UNTRACKED -j DROP -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP #handle IPsec only sources/destinations #snip/snap #allow incoming packets for all established and all related connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow incoming ICMP packets -A INPUT --protocol icmpv6 -j ACCEPT --------------------- And the same for IPv4. The idea with dropping the UNTRACKED/INVALID was that such packages are probably not good fellows and should stay out... Okay... now with IPv4 everything works as expected... But with v6 nothing works at all and I get Destination unreachables (even on pings)... I can't even reach the gateway. When I disable dropping the untracked packets... it starts working,... even when afterwards I enable it again. Seems that there is some connection between the host an the gateway shown then by conntrack. Now... question is why? Cheers, Chris. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
