From mboxrd@z Thu Jan 1 00:00:00 1970 From: Undertacker Subject: Problem with applying a state match rules for ipv6 connections Date: Thu, 23 Feb 2006 15:28:48 +0100 Message-ID: <43FDC6A0.3090401@areanetworking.it> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="utf-8"; format="flowed" To: netfilter@lists.netfilter.org Dear All I have some problem with applying a state match rules for ipv6 connection= s. I=E2=80=99m using a debian unstable with 2.6.16-rc4 kernel. This is my ipv6 configuration:(/etc/network/interfaces) auto btexact00 iface btexact00 inet6 v4tunnel address 2001:618:400:c23b:ffff:ffff:ffff:ffff netmask 128 gateway fe80::d579:1855 endpoint 213.121.24.85 local 85.88.200.10 ttl 254 ipv6 allocation is 2001:618:400:c23b::/64 for now I=E2=80=99m using only a btexact00 interface for ipv6 output to i= nternet. there is also a second interface eth1 for LAN distribution of ipv6 suppor= t. It is not long that I=E2=80=99m using a linux ( just about 6 months) so p= lease forgive me if I done some stupid configuration. this is my ip6tables configuration: cat /etc/iptables.conf/ip6tables-roule.conf # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 *filter :INPUT DROP [188:18904] :FORWARD DROP [0:0] :OUTPUT DROP [9:728] :btexact00_in - [0:0] :btexact00_out - [0:0] :eth1_in - [0:0] :eth1_out - [0:0] -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j ACCEPT COMMIT # Completed on Thu Feb 23 10:55:57 2006 # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 *mangle :PREROUTING ACCEPT [195:19632] :INPUT ACCEPT [195:19632] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [195:19784] :POSTROUTING ACCEPT [186:19056] COMMIT # Completed on Thu Feb 23 10:55:57 2006 finaly I came to my question: for some kind of reason the roule: -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT don=E2=80=99t match that king of traffic. (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0 -j LOG" log output all the traffic) I was tray several times to reconfigure all ip6tables supposing that this was an configuration problem , but the configuration to me seems ok. Please can you help me? Best Regards Undertacker P.S. I=E2=80=99m so sorry for my English, I hope you understand this mail.