IPv6 gateway, was: Re: IPv6 foot-dragging

Jeroen_van_Aart · May 13, 2011, 7:03pm

Thanks all for the helpful suggestions.

It looks like I solved the problem by adjusting my forward chain. I have a the local network on eth0 and the external network on eth1 and my forward chain looked like:

-I FORWARD -i eth0 -o eth1 -s 2001:db8::/64 -j ACCEPT
-I FORWARD -i eth1 -o eth0 -d 2001:db8::/64 -j ACCEPT

Changing it to the following made it work:

-I FORWARD -s 2001:470:85cd::/64 -j ACCEPT
-I FORWARD -d 2001:470:85cd::/64 -j ACCEPT

I am not sure if it'd be less secure to not make it specific to the interfaces. How would I change the first set of rules, using the -i parameter and still make it work? I also have a 6in4 interface for the IPv6 tunnel.

Jeroen_van_Aart · May 13, 2011, 8:15pm

Jeroen van Aart wrote:

Thanks all for the helpful suggestions.

Obviously I need to do a better job using documentation IPv6 consistently, so ignore any inconsistencies in that regard.

Jeroen_van_Aart · May 13, 2011, 9:32pm

Jeroen van Aart wrote:

-I FORWARD -i eth0 -s 2001:db8::/64 -j ACCEPT
-I FORWARD -i eth1 -d 2001:db8::/64 -j ACCEPT

Just in case if anyone'd be using it as an example. It's a good idea to make your rules more restrictive.

Something like:
-I FORWARD -j DROP
-I FORWARD -s 2001:db8::/64 -j ACCEPT
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Owen_DeLong · May 13, 2011, 9:46pm

I thought iptables processed rules in order until it found a match. In such a case, wouldn't
you want those in the reverse order?

Owen

Jeroen_van_Aart · May 13, 2011, 10:33pm

Owen DeLong wrote:

Owen_DeLong · May 13, 2011, 10:41pm

DOH! Arcane syntax failure on the part of my brain's parser.

Of course if you are Inserting rather than Appending.

Owen

Todd_Lyons · May 16, 2011, 3:20pm

Double check the kernel version you have. IIRC kernels before 2.6.20
didn't have the ability to do RELATED,ESTABLISHED in ipv6. This hit
me on a CentOS box that I was using as a gateway. I am unaware if
there is a version of their 2.6.18 that has the patches backported
(googling seemed to indicate it has not been done, and most are just
waiting for new release of CentOS 6). RH6 works properly.

erikm · May 18, 2011, 2:30am

avoided for anything v6 - in addition to no iptables state pre20, there were some RA processing bugs that would result in great fun if, for example, your upstream MTU ever changed. Finding usable backports on CentOS was an exercise in futility.

-e