ipv6 network fail (newbie alert)
Nick Hilliard
nick at foobar.org
Fri Mar 8 09:14:30 CET 2013
You should be interested in the forward chain not the input chain. The policy on the forward chain is DROP, which is why your traffic is bring dropped.
Nick
Sent from my iWotsit.
On 8 Mar 2013, at 01:29, Nick Edwards <nick.z.edwards at gmail.com> wrote:
> Hi all (again)
>
> Hrmm, possible this is related to my earlier iptables issues.
>
> accept rules are being ignored.
>
> offshooting my mail to another inside box, works fine with policy
> default accept, but I'm not liking that, so try to secure it, ipv4
> works as it has for years, but ipv6 sheesh
>
> ip6tables -L -n
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all ::/0 ::/0
> <--- loopback
> ACCEPT all 2001:470:xxx2:524::/64 ::/0 <-- my routed lan
> ACCEPT all 2a00:1c18:401:c01::538:0/112 ::/0 <-- offsite
> native ipv6 range
>
> this above native range is being ignored, as are the port rules below
> it, and this I really cant understand since it has been told to accept
> it, as with my earlier forwarding problems gave me
>
> Destination unreachable: Address unreachable
>
>
> ACCEPT all ::/0 ::/0 ctstate
> RELATED,ESTABLISHED
> REJECT tcp ::/0 ::/0 tcp
> dpt:113 reject-with icmp6-port-unreachable
> ACCEPT udp ::/0 ::/0 udp dpt:25
> ACCEPT tcp ::/0 ::/0 tcp dpt:25
> DROP icmpv6 ::/0 ::/0 ipv6-icmptype 128
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> This is a fully bare bones iptables config, and the only way is to set
> input policy to accept which i should not have to do, unless ip6tables
> is re wrote and is nothing like iptables commands which do work.
>
> Anyone seen this crazyness?
> ( ip6tables v1.4.17 )
More information about the ipv6-ops
mailing list