On 22/08/2017 16:59, Walter H. wrote:
On Tue, August 22, 2017 16:47, Mark Coetser wrote:
On 22/08/2017 16:42, Walter H. wrote:
Hello,
I have these rules at the beginning of /etc/sysconfig/ip6tables
# Filter all packets with state INVALID
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
and on bottom these rules:
# Log all other
-A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
which rule would have catched these logged packets:
[70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
those logged packets are from packets traversing your filter FORWARD
chain obviously no rule is matching which is why its triggering the last
rule which is
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
of course, and which rule would I have to add bevor this rule, so that
these are not logged ...?
It depends on what you want to allow, if you want to allow all traffic
between interface sit1 and br0
-I FORWARD -i sit1 -o br0 -j ACCEPT
although the logged packets above show the source port being tcp/443
which means this connection came in br0 and out sit1 so you are probably
missing an established/related rule.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html