|
aiccu test fails on step 6/8 (routing/firewall problem)!
![[fi]](/s/countries/fi.gif) Shadow Hawkins on Thursday, 23 August 2007 22:48:24
I'm out of options and don't know what to do anymore! Please if anyone has faced the same issue could you try to help me?
The "sixxs" interface is automatically configured by aiccu.
According to the "Operation not permitted" that ping6 reports, some people had suggested that it would be a firewall issue.
I use Shorewall as my frontend for iptables.
I have "DISABLE_IPV6=No" in shorewall.conf.
I have tried adding "6to4 net 62.78.96.38" to the tunnels, but this didn't help anything.
I have tried adding "ACCEPT net fw 41" to the rules but that doesn't help either.
Should I hook the sixxs interface to the eth0 interface somehow?
I didn't have to do any of this stuff on Debian but now that I changed to Ubuntu, I don't seem to get the ipv6 working anymore...
---------------------------------------------------------------------
Aiccu test step 6/8:
---------------------------------------------------------------------
###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2001:14b8:100:2b::1)
### This confirms the reachability of the other side of the tunnel
### If it doesn't reply then check your interface and routing tables
### Don't forget to check your firewall of course
### If the previous test was succesful then this could be both
### a firewalling and a routing/interface problem
PING 2001:14b8:100:2b::1(2001:14b8:100:2b::1) 56 data bytes
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 2001:14b8:100:2b::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2003ms
---------------------------------------------------------------------
ifconfig:
---------------------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:50:BA:A7:AA:11
inet addr:80.222.18.177 Bcast:80.222.31.255 Mask:255.255.240.0
inet6 addr: 2001:14b8:124::1/48 Scope:Global
inet6 addr: fe80::250:baff:fea7:aa11/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11836397 errors:0 dropped:0 overruns:0 frame:1353574
TX packets:9607979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1755644964 (1.6 GiB) TX bytes:2326033654 (2.1 GiB)
Interrupt:11 Base address:0xd400
eth1 Link encap:Ethernet HWaddr 00:50:DA:3E:20:FD
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:daff:fe3e:20fd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9603262 errors:0 dropped:0 overruns:0 frame:0
TX packets:11779166 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2325168362 (2.1 GiB) TX bytes:1729674601 (1.6 GiB)
Interrupt:10 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:112 errors:0 dropped:0 overruns:0 frame:0
TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14576 (14.2 KiB) TX bytes:14576 (14.2 KiB)
sixxs Link encap:IPv6-in-IPv4
inet6 addr: 2001:14b8:100:2b::2/64 Scope:Global
inet6 addr: fe80::50de:12b1/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
---------------------------------------------------------------------
/etc/shorewall/interfaces
---------------------------------------------------------------------
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,tcpflags,norfc1918
loc eth1 detect dhcp
aiccu test fails on step 6/8 (routing/firewall problem)!
For the firewall, you will have to manually check "ip6tables -v --list -n" and "iptables -v --list -n", and figure out which rule is blocking you out.
eth0 Link encap:Ethernet HWaddr 00:50:BA:A7:AA:11 inet addr:80.222.18.177 Bcast:80.222.31.255 Mask:255.255.240.0 inet6 addr: 2001:14b8:124::1/48 Scope:Global
That definitely is wrong. Although it works most likely, it should definitely be a /64 and nothing more. And really 2^64 is a lot of addresses already on that link, imagine how many 2^(128-48) = 2^80 are ;)
You should do assign another /64 to your eth1 so that you can give all the devices on that network IPv6 connectivity.
sixxs Link encap:IPv6-in-IPv4 inet6 addr: 2001:14b8:100:2b::2/64 Scope:Global inet6 addr: fe80::50de:12b1/128 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b
Clearly not a single byte has even been allowed to go out. Most likely your firewall is configured to block any and all IPv6 traffic.
For the rest: provide more configuration outputs, as what you provided is far from complete.
aiccu test fails on step 6/8 (routing/firewall problem)!
Shadow Hawkins on Sunday, 26 August 2007 12:24:46
----------------------------------------------------------------------------
ip6tables -v --list -n
----------------------------------------------------------------------------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
----------------------------------------------------------------------------
iptables -v --list -n
----------------------------------------------------------------------------
Chain INPUT (policy DROP 4 packets, 219 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
6420 1380K eth0_in 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
7795 806K eth1_in 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6695 3509K eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
6041 502K eth1_fwd 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
1 328 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
85 27880 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
2429 315K fw2net 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
8556 3184K fw2all 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
4261 278K dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
4261 278K dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
3 234 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
75 3576 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
70 12318 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain Reject (3 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
23 992 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
60 11854 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
3852 189K dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
3852 189K norfc1918 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW policy match dir in pol none
6693 3508K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
6695 3509K net2loc 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
4448 299K dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
1 335 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
4422 298K norfc1918 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW policy match dir in pol none
1538 1008K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
6414 1380K net2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
108 5505 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
6041 502K loc2all 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
5186 320K dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
86 28208 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
7709 778K loc2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
Chain fw2all (2 references)
pkts bytes target prot opt in out source destination
8139 3134K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1142 103K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
1704 264K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 41 -- * * 0.0.0.0/0 62.78.96.38
725 51727 fw2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2all (2 references)
pkts bytes target prot opt in out source destination
8542 982K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5208 298K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJEC
T:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4261 278K Drop 0 -- * * 0.0.0.0/0 0.0.0.0/0
4100 261K DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
1971 1081K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
19 1096 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37567
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
160 19840 ACCEPT 41 -- * * 62.78.96.38 0.0.0.0/0
4261 278K net2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
2843 3319K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3852 189K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:27549
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:24568
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 udp dpt:24568
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpts:2200:2210
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 udp dpts:2200:2210
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:7851
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 udp dpt:7851
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 multiport dports 6073,2302:2400
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpts:6112:6119
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 udp dpts:6112:6119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:3724
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.254 udp dpt:33333
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:5223
0 0 net2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 rfc1918 0 -- * * 172.16.0.0/12 0.0.0.0/0
0 0 rfc1918 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12
5 210 rfc1918 0 -- * * 192.168.0.0/16 0.0.0.0/0
0 0 rfc1918 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 0 -- * * 10.0.0.0/8 0.0.0.0/0
0 0 rfc1918 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source destination
5 210 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'
5 210 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 80.222.31.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 80.222.31.255 0.0.0.0/0
0 0 LOG 0 -- * * 192.168.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.1.255 0.0.0.0/0
0 0 LOG 0 -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG 0 -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
Chain tcpflags (2 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02
----------------------------------------------------------------------------
I don't see any rules blocking ipv6? ip6tables is empty and shorewall is set to allow all ipv6 connections as was stated on the first post. What more configuration outputs would you need?
aiccu test fails on step 6/8 (routing/firewall problem)!
Even though the ip6tables is empty, it seems that no packet can be sent outbound, as such, what are the permissions of the 'ping6' tool and did you run the aiccu test as root/uid0 ? It might be that you simply don't have permissions to send ICMP from that account, thus also check stuff like SELinux and/or similar things.
Again, provide more information, as for instance your tunnel settings are not there nor are your routing tables, and those can cause issues too, especially with such a complex ruleset.
Also fw2net has:
0 0 ACCEPT 41 -- * * 0.0.0.0/0 62.78.96.38
Indicating that you are not sending any packets back at all, not even the ICMPv6 Echo Requests that are coming from the PoP, which most likely are these packets:
net2fw:
160 19840 ACCEPT 41 -- * * 62.78.96.38 0.0.0.0/0
I suggest that you do a "iptables -F", then test if you can reach the PoP, if you can, then start adding filewall rules per block or per line, till it breaks again.
aiccu test fails on step 6/8 (routing/firewall problem)!
Shadow Hawkins on Sunday, 26 August 2007 14:23:41
Hmm now it works for some reason and I didn't change anything. :?
It must've been the time synchronization problem with aiccu again or something similar...
aiccu test fails on step 6/8 (routing/firewall problem)!
You have a static tunnel, thus time really can't have anything to do with it.
According to the counters of your firewall you are not even sending packets outbound to the PoP, let alone sending IPv6 packets at all...
|
![[ch]](/s/countries/ch.gif)
on Thursday, 23 August 2007 22:56:25
Posting is only allowed when you are