On 26 July 2013 03:59, Christoph Anton Mitterer <christoph.anton.mitterer@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Hi. > > I usually have some default rules in place on all nodes which look about > like this: > --------------------- > -A INPUT --in-interface lo -j ACCEPT > -A OUTPUT --out-interface lo -j ACCEPT > > -A INPUT -m state --state UNTRACKED -j DROP > -A FORWARD -m state --state UNTRACKED -j DROP > -A OUTPUT -m state --state UNTRACKED -j DROP > > -A INPUT -m state --state INVALID -j DROP > -A FORWARD -m state --state INVALID -j DROP > -A OUTPUT -m state --state INVALID -j DROP > > #handle IPsec only sources/destinations > #snip/snap > > #allow incoming packets for all established and all related connections > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > #allow incoming ICMP packets > -A INPUT --protocol icmpv6 -j ACCEPT Could you provide a ip6tables-save format ruleset? > --------------------- > And the same for IPv4. > > The idea with dropping the UNTRACKED/INVALID was that such packages are > probably not good fellows and should stay out... > > Okay... now with IPv4 everything works as expected... > > > But with v6 nothing works at all and I get Destination unreachables > (even on pings)... I can't even reach the gateway. > > When I disable dropping the untracked packets... it starts working,... > even when afterwards I enable it again. > Seems that there is some connection between the host an the gateway > shown then by conntrack. > > > Now... question is why? What is the default policy? I guess you are not allowing ICMP messages in OUTPUT. ICMP messages are important in IPv6. Regards. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
