IPv6 Out, only if there is already IPv6 Traffic coming in...
Shadow Hawkins on Tuesday, 05 August 2008 10:39:56
Hi,
I have a very wierd problem, that has been happening for a while now, that I would like to fix.
My tunnel works, and is up, my page here shows a nice uptime, and I am amassing lots of credits, too many to know what to do with. I can ping, and access services on my machine using IPv6 from a friends IPv6 enabled box, no problem. The problem is getting IPv6 *OUT* of my network.
If I initiate a ping6, it drops packets for a long while, until the heartbeat pings my box, this then seems to open something up and allow my packets out. I can fake this, by initiating a ping6 from my machine, and then pinging it myself from my friend's box, I will get dropped packets, until the external ping starts, then I will get results.
This happens with iptables turned completely off, as well as in my normal setup...
This is on Gentoo Linux, on a Virgin Media internet conenction, with the machine I am testing on set as the "DMZ" on a WRT router (i.e. all traffic that hits the router is passed directly to this machine without filtering.)
Any ideas?
IPv6 Out, only if there is already IPv6 Traffic coming in...
Jeroen Massar on Tuesday, 05 August 2008 10:56:07
a) why don't you terminate the tunnel on the WRT?
b) Connection Tracking - which is enabled on your local box and on the WRT and both can cause problems.
IPv6 Out, only if there is already IPv6 Traffic coming in...
Shadow Hawkins on Tuesday, 05 August 2008 11:31:37 a) why don't you terminate the tunnel on the WRT?
As far as I am aware, that would involve messing with the firmware, which I would rather not do if I can get away with it, I want the machine to be the DMZ anyway for other reasons...
a) why don't you terminate the tunnel on the WRT?
That looks to be the opposite of what I'm getting, at no time do incoming IPv6 packets have problems that I have seen, just outgoing....
sol iptables # cat iptables
# Generated by iptables-save v1.4.0 on Tue Aug 5 10:30:37 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93363:51050191]
:fail2ban-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 10.1.1.0/24 -j ACCEPT
-A INPUT -s aaa.aaa.aaa.aaa/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Tue Aug 5 10:30:37 2008
# Generated by iptables-save v1.4.0 on Tue Aug 5 10:30:37 2008
*mangle
:PREROUTING ACCEPT [83487:26503241]
:INPUT ACCEPT [72999:23530528]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93363:51050191]
:POSTROUTING ACCEPT [93535:51090439]
COMMIT
# Completed on Tue Aug 5 10:30:37 2008
# Generated by iptables-save v1.4.0 on Tue Aug 5 10:30:37 2008
*raw
:PREROUTING ACCEPT [83487:26503241]
:OUTPUT ACCEPT [93363:51050191]
COMMIT
# Completed on Tue Aug 5 10:30:37 2008
# Generated by iptables-save v1.4.0 on Tue Aug 5 10:30:37 2008
*nat
:PREROUTING ACCEPT [12493:3329134]
:POSTROUTING ACCEPT [7298:602296]
:OUTPUT ACCEPT [7298:602296]
COMMIT
# Completed on Tue Aug 5 10:30:37 2008
===
Reading through that thread, I am not masquerading anything (maybe that is the problem?) iptables-save output is below to give a better idea of my setup....
Thanks for the quick response, much appreciated...
===
IPv6 Out, only if there is already IPv6 Traffic coming in...
Jeroen Massar on Tuesday, 05 August 2008 11:56:25
The point of the 'connection tracking' problem is that it is simply enabled in your kernel the moment it is compiled in. It doesn't matter if you enable or disable masquerading or even iptables for that matter, it is simply there and it is collection and expiring connections.
Indeed inbound -> outbound should not cause any problems, but it is one problem that a lot of people get hit by.
IPv6 Out, only if there is already IPv6 Traffic coming in...
Shadow Hawkins on Tuesday, 05 August 2008 12:42:49 The point of the 'connection tracking' problem is that it is simply enabled in your kernel the moment it is compiled in. It doesn't matter if you enable or disable masquerading or even iptables for that matter, it is simply there and it is collection and expiring connections.
Ok, I have followed the instructions on there to run off connection tracking for proto 41.
Still have the same problem. Any idea how to turn it off on the WRT? (Firmware version 1.00.1 if that helps...)
Thanks Again
Anthony
Posting is only allowed when you are logged in. |