FORWARD-chain packets go through INPUT-chain ?
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Wed Apr 26 11:34:20 CEST 2006
On Wed, 26 Apr 2006, Philip Westphal wrote:
> i think my problem is quit simple, but i´m a little bit under pressure,
> and google didn´t help. i have a firewall machine, with ip6tables
> running on it, and behind this firewall there is a webserver with
> apache2 running. the network looks like this:
[...]
> my problem is, that packets from the LAPTOP to the APACHE (and
> vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD. if i
> don´t make any rules, i have to set all 3 chains to ACCEPT to get
> packets through. if i have INPUT and OUTPUT on drop (FORWARD is all the
> time on ACCEPT), i need to allow especially packets to or from port 80
> or icmpv6 on the INPUT and OUTPUT chain.
IPv6 is not just IPv4 with bumped up address space: ARP is replaced by ND
(Neighbour Discovery), which is performed over ICMPv6. So if you block
ICMPv6 completely in INPUT/OUTPUT, you actually disable IPv6.
Have a look at the IETF draft 'Best Current Practice for Filtering ICMPv6
Messages in Firewalls':
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-bcp-01.txt
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter
mailing list