ipv6 network fail (newbie alert)

Nick Hilliard nick at foobar.org
Fri Mar 8 09:14:30 CET 2013


You should be interested in the forward chain not the input chain. The policy on the forward chain is DROP, which is why your traffic is bring dropped. 

Nick

Sent from my iWotsit.

On 8 Mar 2013, at 01:29, Nick Edwards <nick.z.edwards at gmail.com> wrote:

> Hi all (again)
> 
> Hrmm, possible this is related to my earlier iptables issues.
> 
> accept rules are being ignored.
> 
> offshooting my mail to another inside box, works fine with policy
> default accept, but I'm not liking that, so try to secure it, ipv4
> works as it has for years, but ipv6 sheesh
> 
> ip6tables -L -n
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all      ::/0              ::/0
>    <--- loopback
> ACCEPT     all      2001:470:xxx2:524::/64  ::/0              <-- my routed lan
> ACCEPT     all      2a00:1c18:401:c01::538:0/112  ::/0   <--  offsite
> native ipv6 range
> 
> this above native range is being ignored, as are the port rules below
> it, and this I really cant understand since it has been told to accept
> it, as with my earlier forwarding problems gave me
> 
> Destination unreachable: Address unreachable
> 
> 
> ACCEPT     all      ::/0                 ::/0                 ctstate
> RELATED,ESTABLISHED
> REJECT     tcp      ::/0                 ::/0                 tcp
> dpt:113 reject-with icmp6-port-unreachable
> ACCEPT     udp      ::/0                 ::/0                 udp dpt:25
> ACCEPT     tcp      ::/0                 ::/0                 tcp dpt:25
> DROP       icmpv6    ::/0                 ::/0                 ipv6-icmptype 128
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> This is a fully bare bones iptables config, and the only way is to set
> input policy to accept which i should not have to do, unless ip6tables
> is re wrote and is nothing like iptables commands which do work.
> 
> Anyone seen this crazyness?
> ( ip6tables v1.4.17 )



More information about the ipv6-ops mailing list