On 22.08.2017 17:40, Mark Coetser wrote:
On 22/08/2017 17:36, Walter H. wrote:On 22.08.2017 17:08, Mark Coetser wrote:On 22/08/2017 16:59, Walter H. wrote:On Tue, August 22, 2017 16:47, Mark Coetser wrote:On 22/08/2017 16:42, Walter H. wrote:Hello, I have these rules at the beginning of /etc/sysconfig/ip6tables # Filter all packets with state INVALID -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP and on bottom these rules: # Log all other -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7 -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7 which rule would have catched these logged packets: [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 RES=0x00 ACK PSH URGP=0 [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 RES=0x00 ACK PSH URGP=0 [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171 RES=0x00 ACK PSH URGP=0those logged packets are from packets traversing your filter FORWARDchain obviously no rule is matching which is why its triggering the lastrule which is -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7of course, and which rule would I have to add bevor this rule, so that these are not logged ...?It depends on what you want to allow, if you want to allow all traffic between interface sit1 and br0-I FORWARD -i sit1 -o br0 -j ACCEPTalthough the logged packets above show the source port being tcp/443 which means this connection came in br0 and out sit1 so you are probably missing an established/related rule.this rules are after dropping invalid and before logging # Enable forwarding to IPv6-Tunnel interface -A FORWARD -i br0 -o sit1 -j ACCEPT # Enable established, related packets back through -I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPTso I have the problem, that I cannot really know, why these packets were logged ...without seeing your whole ruleset its pretty hard to tell or at least see your filter forward rules as for the estabalished/related rule you dont have to specify the input/output interfaces
ip6tables-save results in this: # Generated by ip6tables-save v1.4.7 on Tue Aug 22 17:44:04 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [17:7812] :OUTPUT DROP [0:0] -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s myprefix::/64 -d fe80::/10 -i br0 -j ACCEPT-A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p tcp -m tcp -m multiport --dports 546,547 -j ACCEPT -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p udp -m udp -m multiport --dports 546,547 -j ACCEPT
-A INPUT -i br0 -p ipv6-icmp -j ACCEPT-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT-A INPUT -i sit1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -i sit1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 5353 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 21 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 22 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 23 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 3128 -j DROP -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7 -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i br0 -o br0 -j ACCEPT-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j LOG --log-prefix "IPv6[FWD-SMTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i br0 -o sit1 -j ACCEPT -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o sit1 -j ACCEPT -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7 COMMIT # Completed on Tue Aug 22 17:44:04 2017 br0 is LAN port sit1 is HE-tunnel port Thanks, Walter
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
