ipv6 network fail (newbie alert)
Tore Anderson
tore at fud.no
Fri Mar 8 11:08:50 CET 2013
* Nick Edwards
> Hrmm, possible this is related to my earlier iptables issues.
>
> accept rules are being ignored.
>
> offshooting my mail to another inside box, works fine with policy
> default accept, but I'm not liking that, so try to secure it, ipv4
> works as it has for years, but ipv6 sheesh
>
> ip6tables -L -n
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all ::/0 ::/0
> <--- loopback
> ACCEPT all 2001:470:xxx2:524::/64 ::/0 <-- my routed lan
> ACCEPT all 2a00:1c18:401:c01::538:0/112 ::/0 <-- offsite
> native ipv6 range
>
> this above native range is being ignored, as are the port rules below
> it, and this I really cant understand since it has been told to accept
> it, as with my earlier forwarding problems gave me
>
> Destination unreachable: Address unreachable
>
>
> ACCEPT all ::/0 ::/0 ctstate
> RELATED,ESTABLISHED
> REJECT tcp ::/0 ::/0 tcp
> dpt:113 reject-with icmp6-port-unreachable
> ACCEPT udp ::/0 ::/0 udp dpt:25
> ACCEPT tcp ::/0 ::/0 tcp dpt:25
> DROP icmpv6 ::/0 ::/0 ipv6-icmptype 128
You're dropping ICMPv6. That breaks address resolution (ND), for
starters. You might want to take a look at RFC 4890, in particular
section 4.4.1.
--
Tore Anderson
More information about the ipv6-ops
mailing list