Re: net unreachable ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/2/13, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
> On 08/01/2013 05:28 PM, Nick Edwards wrote:
>> and before anyone asks, yes, IPv4 works perfect
> What is the command you use to ping?
> also please try to just post ipv6 rules so we can read it and assume
> that if you are asking about IPV6 this is your major problem.
>
> Eliezer
>
ping6  any_hostname
ping6  any_ipv6_ip

it not just ping, perhaps its a side effect or unrelated, but the main
purpose of my post is  it runs mail server which is unreachable on
ipv6 when ip6tables is active

in point form the problem is

1/   policy input set to drop all traffic
2/  complete accept rule for remote so it can access any port.
3/  accept rule for mail port from anyone

so there are two conditions that say let-me-in, but iptables is not
honoring EITHER of the accept rules, this is how it always worked with
ipv4 regardless of icmp settings, but apparently, not with ipv6, or
the mail server (inc ssh) would be reachable

Even with policy drop, and as with #2 above, complete access rule for
any port it should be able to ping in.

further, the ping out, is via a default policy output of accept, so
even if it hissies at inbound it should be unhindered for anything
outbound


/usr/sbin/ip6tables -F

/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -P FORWARD DROP

/usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -s 2a00:1c18:401:c00::531:2 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
^^ I even commented that line out which made no difference

Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux