IPv6 gateway, was: Re: IPv6 foot-dragging

Thanks all for the helpful suggestions.

It looks like I solved the problem by adjusting my forward chain. I have a the local network on eth0 and the external network on eth1 and my forward chain looked like:

-I FORWARD -i eth0 -o eth1 -s 2001:db8::/64 -j ACCEPT
-I FORWARD -i eth1 -o eth0 -d 2001:db8::/64 -j ACCEPT

Changing it to the following made it work:

-I FORWARD -s 2001:470:85cd::/64 -j ACCEPT
-I FORWARD -d 2001:470:85cd::/64 -j ACCEPT

I am not sure if it'd be less secure to not make it specific to the interfaces. How would I change the first set of rules, using the -i parameter and still make it work? I also have a 6in4 interface for the IPv6 tunnel.

Jeroen van Aart wrote:

Thanks all for the helpful suggestions.

Obviously I need to do a better job using documentation IPv6 consistently, so ignore any inconsistencies in that regard.

Jeroen van Aart wrote:

-I FORWARD -i eth0 -s 2001:db8::/64 -j ACCEPT
-I FORWARD -i eth1 -d 2001:db8::/64 -j ACCEPT

Just in case if anyone'd be using it as an example. It's a good idea to make your rules more restrictive.

Something like:
-I FORWARD -s 2001:db8::/64 -j ACCEPT

I thought iptables processed rules in order until it found a match. In such a case, wouldn't
you want those in the reverse order?


Owen DeLong wrote:

DOH! Arcane syntax failure on the part of my brain's parser.

Of course if you are Inserting rather than Appending.


Double check the kernel version you have. IIRC kernels before 2.6.20
didn't have the ability to do RELATED,ESTABLISHED in ipv6. This hit
me on a CentOS box that I was using as a gateway. I am unaware if
there is a version of their 2.6.18 that has the patches backported
(googling seemed to indicate it has not been done, and most are just
waiting for new release of CentOS 6). RH6 works properly.

avoided for anything v6 - in addition to no iptables state pre20, there were some RA processing bugs that would result in great fun if, for example, your upstream MTU ever changed. Finding usable backports on CentOS was an exercise in futility.