Re: IPv6: unknown packet logged ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 22/08/2017 17:52, Walter H. wrote:

ip6tables-save results in this:

# Generated by ip6tables-save v1.4.7 on Tue Aug 22 17:44:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [17:7812]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s myprefix::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p tcp -m tcp -m multiport --dports 546,547 -j ACCEPT -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p udp -m udp -m multiport --dports 546,547 -j ACCEPT 
-A INPUT -i br0 -p ipv6-icmp -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
-A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
-A INPUT -i sit1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-A INPUT -i sit1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 5353 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 21 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 23 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 3128 -j DROP
-A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j LOG --log-prefix "IPv6[FWD-SMTP(out)]: " --log-level 7 
-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
COMMIT
# Completed on Tue Aug 22 17:44:04 2017

br0 is LAN port
sit1 is HE-tunnel port

Thanks,
Walter
Looks fine to me, unless conntrack isnt picking those packets up as established/related to the initial connection. 
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux