IPv6 gateway, was: Re: IPv6 foot-dragging
Thanks all for the helpful suggestions. It looks like I solved the problem by adjusting my forward chain. I have a the local network on eth0 and the external network on eth1 and my forward chain looked like: -I FORWARD -i eth0 -o eth1 -s 2001:db8::/64 -j ACCEPT -I FORWARD -i eth1 -o eth0 -d 2001:db8::/64 -j ACCEPT Changing it to the following made it work: -I FORWARD -s 2001:470:85cd::/64 -j ACCEPT -I FORWARD -d 2001:470:85cd::/64 -j ACCEPT I am not sure if it'd be less secure to not make it specific to the interfaces. How would I change the first set of rules, using the -i parameter and still make it work? I also have a 6in4 interface for the IPv6 tunnel. -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Jeroen van Aart wrote:
Thanks all for the helpful suggestions.
Obviously I need to do a better job using documentation IPv6 consistently, so ignore any inconsistencies in that regard. -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Jeroen van Aart wrote:
-I FORWARD -i eth0 -s 2001:db8::/64 -j ACCEPT -I FORWARD -i eth1 -d 2001:db8::/64 -j ACCEPT
Just in case if anyone'd be using it as an example. It's a good idea to make your rules more restrictive. Something like: -I FORWARD -j DROP -I FORWARD -s 2001:db8::/64 -j ACCEPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
On May 13, 2011, at 2:32 PM, Jeroen van Aart wrote:
Jeroen van Aart wrote:
-I FORWARD -i eth0 -s 2001:db8::/64 -j ACCEPT -I FORWARD -i eth1 -d 2001:db8::/64 -j ACCEPT
Just in case if anyone'd be using it as an example. It's a good idea to make your rules more restrictive.
Something like: -I FORWARD -j DROP -I FORWARD -s 2001:db8::/64 -j ACCEPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
I thought iptables processed rules in order until it found a match. In such a case, wouldn't you want those in the reverse order? Owen
Owen DeLong wrote:
On May 13, 2011, at 2:32 PM, Jeroen van Aart wrote:
-I FORWARD -j DROP -I FORWARD -s 2001:db8::/64 -j ACCEPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
I thought iptables processed rules in order until it found a match. In such a case, wouldn't you want those in the reverse order?
I think hat's the case with -A, but with -I the above is the right order. Or at least it works here. -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
On May 13, 2011, at 3:33 PM, Jeroen van Aart wrote:
Owen DeLong wrote:
On May 13, 2011, at 2:32 PM, Jeroen van Aart wrote:
-I FORWARD -j DROP -I FORWARD -s 2001:db8::/64 -j ACCEPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
I thought iptables processed rules in order until it found a match. In such a case, wouldn't you want those in the reverse order?
I think hat's the case with -A, but with -I the above is the right order. Or at least it works here.
DOH! Arcane syntax failure on the part of my brain's parser. Of course if you are Inserting rather than Appending. Owen
On Fri, May 13, 2011 at 2:32 PM, Jeroen van Aart <jeroen@mompl.net> wrote:
Something like: -I FORWARD -j DROP -I FORWARD -s 2001:db8::/64 -j ACCEPT -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Double check the kernel version you have. IIRC kernels before 2.6.20 didn't have the ability to do RELATED,ESTABLISHED in ipv6. This hit me on a CentOS box that I was using as a gateway. I am unaware if there is a version of their 2.6.18 that has the patches backported (googling seemed to indicate it has not been done, and most are just waiting for new release of CentOS 6). RH6 works properly. -- Regards... Todd "It is the nature of the human species to reject what is true but unpleasant and to embrace what is obviously false but comforting." "You might be a skeptic if you have pedantically argued the topic of pedantry."
On Mon, 16 May 2011, Todd Lyons wrote:
Double check the kernel version you have. IIRC kernels before 2.6.20 didn't have the ability to do RELATED,ESTABLISHED in ipv6. This hit me on a CentOS box that I was using as a gateway. I am unaware if there is a version of their 2.6.18 that has the patches backported (googling seemed to indicate it has not been done, and most are just waiting for new release of CentOS 6). RH6 works properly.
From my experience, kernels older than 2.6.27 or so are simply to be avoided for anything v6 - in addition to no iptables state pre20, there were some RA processing bugs that would result in great fun if, for example, your upstream MTU ever changed. Finding usable backports on CentOS was an exercise in futility.
-e
participants (4)
-
Erik Muller
-
Jeroen van Aart
-
Owen DeLong
-
Todd Lyons