Hi. On Fri, 2013-07-26 at 09:07 +0200, Arturo Borrero Gonzalez wrote: > Could you provide a ip6tables-save format ruleset? see attachment... > What is the default policy? I guess you are not allowing ICMP messages > in OUTPUT. ICMP messages are important in IPv6. No I do... It's as if ICMP was UNTRACKED. Just removing either -A INPUT -m state --state UNTRACKED -j DROP or -A OUTPUT -m state --state UNTRACKED -j DROP alone isn't enough... I really need to remove both (for the first time). Cheers, Chris.
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT --in-interface lo -j ACCEPT -A OUTPUT --out-interface lo -j ACCEPT -A INPUT -m state --state UNTRACKED -j DROP -A FORWARD -m state --state UNTRACKED -j DROP -A OUTPUT -m state --state UNTRACKED -j DROP -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP #handle IPsec only sources/destinations -A INPUT --protocol udp -m multiport --destination-ports isakmp,isakmp-nat_espinudp -j ACCEPT -A OUTPUT --protocol udp -m multiport --destination-ports isakmp,isakmp-nat_espinudp -j ACCEPT -N ipsec-only-in -N ipsec-only-out -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT --protocol icmpv6 -j ACCEPT #do not handle packets that were or are going to be IPsec processed -A ipsec-only-in -m policy --strict --dir in --pol ipsec --mode tunnel --proto esp -j RETURN -A ipsec-only-out -m policy --strict --dir out --pol ipsec --mode tunnel --proto esp -j RETURN #deny all non-ESP packets (packets that are not subject to IPsec) -A ipsec-only-in ! --protocol esp -j REJECT --reject-with icmp6-adm-prohibited -A ipsec-only-out ! --protocol esp -j REJECT --reject-with icmp6-adm-prohibited # other stuff... -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT
