All of lore.kernel.org
 help / color / mirror / Atom feed
* net unreachable ipv6
@ 2013-08-01 14:28 Nick Edwards
  2013-08-01 18:03 ` Eliezer Croitoru
  0 siblings, 1 reply; 5+ messages in thread
From: Nick Edwards @ 2013-08-01 14:28 UTC (permalink / raw)
  To: netfilter

Christ I hate ipv6, POS it is...

OK, steam vented...

Folks,  I must be doing something wrong, so any pointers be appreciated.

I can not even ping6 _OUT_ unless I clear all ipv6 rules or change def
policy input to accept,  despite it being globally "allowed" already.
the machine can also not be reached either despite the ipv6 range included

Is there something broken?

(v1.4.14)

#!/bin/sh
/usr/sbin/iptables -F
/usr/sbin/ip6tables -F

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/ip6tables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state
INVALID,NEW -j LOG


/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT

/usr/sbin/iptables -A INPUT -s 207.x.x.x -j ACCEPT
/
/usr/sbin/ip6tables -A INPUT -s 2a00:1c18:401:c00::531:2 -j ACCEPT

/usr/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 -j DROP

#/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
#/usr/sbin/ip6tables -A INPUT -m rt --rt-type 0 -j DROP

/usr/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -j DROP

..
and before anyone asks, yes, IPv4 works perfect :)

Thanks

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: net unreachable ipv6
  2013-08-01 14:28 net unreachable ipv6 Nick Edwards
@ 2013-08-01 18:03 ` Eliezer Croitoru
  2013-08-01 23:28   ` Nick Edwards
  0 siblings, 1 reply; 5+ messages in thread
From: Eliezer Croitoru @ 2013-08-01 18:03 UTC (permalink / raw)
  To: Nick Edwards; +Cc: netfilter

On 08/01/2013 05:28 PM, Nick Edwards wrote:
> and before anyone asks, yes, IPv4 works perfect 
What is the command you use to ping?
also please try to just post ipv6 rules so we can read it and assume
that if you are asking about IPV6 this is your major problem.

Eliezer

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: net unreachable ipv6
  2013-08-01 18:03 ` Eliezer Croitoru
@ 2013-08-01 23:28   ` Nick Edwards
  2013-08-02  3:17     ` [RES] " Nick Edwards
  0 siblings, 1 reply; 5+ messages in thread
From: Nick Edwards @ 2013-08-01 23:28 UTC (permalink / raw)
  To: Eliezer Croitoru; +Cc: netfilter

On 8/2/13, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
> On 08/01/2013 05:28 PM, Nick Edwards wrote:
>> and before anyone asks, yes, IPv4 works perfect
> What is the command you use to ping?
> also please try to just post ipv6 rules so we can read it and assume
> that if you are asking about IPV6 this is your major problem.
>
> Eliezer
>
ping6  any_hostname
ping6  any_ipv6_ip

it not just ping, perhaps its a side effect or unrelated, but the main
purpose of my post is  it runs mail server which is unreachable on
ipv6 when ip6tables is active

in point form the problem is

1/   policy input set to drop all traffic
2/  complete accept rule for remote so it can access any port.
3/  accept rule for mail port from anyone

so there are two conditions that say let-me-in, but iptables is not
honoring EITHER of the accept rules, this is how it always worked with
ipv4 regardless of icmp settings, but apparently, not with ipv6, or
the mail server (inc ssh) would be reachable

Even with policy drop, and as with #2 above, complete access rule for
any port it should be able to ping in.

further, the ping out, is via a default policy output of accept, so
even if it hissies at inbound it should be unhindered for anything
outbound


/usr/sbin/ip6tables -F

/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -P FORWARD DROP

/usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -s 2a00:1c18:401:c00::531:2 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
^^ I even commented that line out which made no difference

Thanks

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [RES] Re: net unreachable ipv6
  2013-08-01 23:28   ` Nick Edwards
@ 2013-08-02  3:17     ` Nick Edwards
  2013-08-03 12:19       ` Eliezer Croitoru
  0 siblings, 1 reply; 5+ messages in thread
From: Nick Edwards @ 2013-08-02  3:17 UTC (permalink / raw)
  To: Netfilter user mailing list

Thanks to a very helpful member of this list, off-list (so not sure if
he wants to be named and famed), the problem has been resolved, by
allowing INPUT for neigh discovery packets type 135 and 136

I have quickly learned that the ipv4 habits of yesteryear must go out
the window for ipv6 to work.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [RES] Re: net unreachable ipv6
  2013-08-02  3:17     ` [RES] " Nick Edwards
@ 2013-08-03 12:19       ` Eliezer Croitoru
  0 siblings, 0 replies; 5+ messages in thread
From: Eliezer Croitoru @ 2013-08-03 12:19 UTC (permalink / raw)
  To: Nick Edwards; +Cc: Netfilter user mailing list

On 08/02/2013 06:17 AM, Nick Edwards wrote:
> Thanks to a very helpful member of this list, off-list (so not sure if
> he wants to be named and famed), the problem has been resolved, by
> allowing INPUT for neigh discovery packets type 135 and 136
> 
> I have quickly learned that the ipv4 habits of yesteryear must go out
> the window for ipv6 to work.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Indeed so much is different..
Can you share the rules as rules form to show others how it is being done?

Eliezer

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-08-03 12:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-01 14:28 net unreachable ipv6 Nick Edwards
2013-08-01 18:03 ` Eliezer Croitoru
2013-08-01 23:28   ` Nick Edwards
2013-08-02  3:17     ` [RES] " Nick Edwards
2013-08-03 12:19       ` Eliezer Croitoru

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.