Problems w/ ipv6 and stateful inspection
Jörg Schütter
joerg at schuetter.org
Sun Jan 15 19:28:52 CET 2006
Hi
after a brake of some month for ipv6 I tried it again (after
reading that steteful inspection is now in 2.6.15).
I'm using tun6to4 as my tunnel device and have problems setting
the access lists right.
OUTPUT
ACCEPT all * tun6to4 ::/0 ::/0 state NEW
never get's any hit, all traffic uses
ACCEPT all * tun6to4 ::/0 ::/0
w/o any state parameter
And the same problem for the incomming traffic:
INPUT
DROP all tun6to4 * ::/0 ::/0 state INVALID
had to be removed, otherwise no package was allowed to travel
LOG all tun6to4 * ::/0 ::/0 state INVALID LOG flags 0 level 4
has a lot of hits, eg
IN=tun6to4 OUT= MAC=... TUNNEL=192.88.99.1->...
SRC=2001:06b0:0001:00ea:0202:a5ff:fecd:13a6 DST=... LEN=104 TC=0
HOPLIMIT=54 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=16439 SEQ=1
as the anwser to ping6 www.ipv6.org
Any idea what's wrong with my config?
I'm running 2.6.15-mm4 w/ iptables 1.2.9 on Debian unstable on a
machine behind a router (router is doing nat).
Jörg
--
Jörg Schütter http://www.schuetter.org/joerg
joerg at schuetter.org http://www.lug-untermain.de/
More information about the netfilter
mailing list