From: Undertacker <undertacker@areanetworking.it>
To: netfilter@lists.netfilter.org
Subject: Re: problem with applying a state match rules for ipv6 connections
Date: Mon, 27 Feb 2006 17:45:06 +0100 [thread overview]
Message-ID: <44032C92.5000101@areanetworking.it> (raw)
In-Reply-To: <200602260517.k1Q5HkIF022830@toshiba.co.jp>
Yasuyuki KOZAKAI ha scritto:
> Hi,
>
> From: Undertacker <undertacker@areanetworking.it>
> Date: Thu, 23 Feb 2006 11:11:00 +0100
>
>
>> Dear All
>> I have some problem with applying a state match rules for ipv6 connections.
>>
>> I’m using a debian unstable with 2.6.16-rc4 kernel.
>> This is my ipv6 configuration:(/etc/network/interfaces)
>>
>> auto btexact00
>> iface btexact00 inet6 v4tunnel
>> address 2001:618:400:c23b:ffff:ffff:ffff:ffff
>> netmask 128
>> gateway fe80::d579:1855
>> endpoint 213.121.24.85
>> local 85.88.200.10
>> ttl 254
>> ipv6 allocation is 2001:618:400:c23b::/64
>> for now I’m using only a btexact00 interface for ipv6 output to internet.
>> there is also a second interface eth1 for LAN distribution of ipv6
>> support.
>>
>
> Sorry I'm not familiar with debian, but this box is router, isn't this ?
>
Uh… many people consider a router anything that making a connections…..
If you mean that, may answer is positive.
If you mean that the router is dedicated network hardware for management
of networking solutions, my answer is no.
This is a PC Intel based architecture wit Linux operation system 3
network interface card.
http://www.debian.org/
Debian uses the Linux kernel (the core of an operating system), but most
of the basic OS tools come from the GNU project; hence the name GNU/Linux..
>
>> It is not long that I’m using a linux ( just about 6 months) so please
>> forgive me if I done some stupid configuration.
>>
>> this is my ip6tables configuration:
>> cat /etc/iptables.conf/ip6tables-roule.conf
>> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
>> *filter
>> :INPUT DROP [188:18904]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [9:728]
>> :btexact00_in - [0:0]
>> :btexact00_out - [0:0]
>> :eth1_in - [0:0]
>> :eth1_out - [0:0]
>> -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in
>> -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in
>> -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out
>> -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out
>> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>> -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j
>> ACCEPT
>> COMMIT
>> # Completed on Thu Feb 23 10:55:57 2006
>> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
>> *mangle
>> :PREROUTING ACCEPT [195:19632]
>> :INPUT ACCEPT [195:19632]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [195:19784]
>> :POSTROUTING ACCEPT [186:19056]
>> COMMIT
>> # Completed on Thu Feb 23 10:55:57 2006
>>
>
> At first, this configuration will cause to drop ICMPv6 packets for
> address autoconfiguration in your LAN if you run radvd on this box.
>
I suppose that.
But my intention for now is: use ipv6 directly from that machine, not
from the LAN
(I’ also don’t like the auto configuration of anything, so the network
connection I usually set manually)
>
>> finaly I came to my question:
>> for some kind of reason the roule:
>> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>> don’t match that king of traffic.
>> (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0
>> -j LOG" log output all the traffic)
>>
>
> If this box is router and you want to use state match for forwareded
> packets, you need to configure FORWARD chain.
>
> And please "modprobe nf_conntrack_ipv6" manually. For some reason, it isn't
> auto-loaded and we have to defer to improve this until 2.6.17.
>
UH.......
I' think that i have some king big problems because I can’t find
”nf_conntrack_ipv6”
hole:~# modprobe nf_conntrack_ipv6
FATAL: Module nf_conntrack_ipv6 not found.
hole:~# modprobe nf
nfnetlink nfnetlink_log nfnetlink_queue nfs nfsd nftl
But I’m quiet shure the I’select this kind of option in kernel
compilation as M (module), if this is a right place to select it.
If you have some suggestion how to solve?
>
>> I was tray several times to reconfigure all ip6tables supposing that
>> this was an configuration problem , but the configuration to me seems ok.
>> Please can you help me?
>> Best Regards
>> Undertacker
>>
>> P.S.
>> I’m so sorry for my English, I hope you understand this mail.
>>
>
> -- Yasuyuki Kozakai
>
Thank you so much for answering me, as you see I’m not so expert in this…
Quoting a REM Lyrics - Losing My Religion.....
I'm Losing My Modules……
Best Regards Undertacker
next prev parent reply other threads:[~2006-02-27 16:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-23 10:11 problem with applying a state match rules for ipv6 connections Undertacker
2006-02-26 5:17 ` Yasuyuki KOZAKAI
[not found] ` <200602260517.k1Q5HkIF022830@toshiba.co.jp>
2006-02-27 16:45 ` Undertacker [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-02-23 14:28 Problem " Undertacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44032C92.5000101@areanetworking.it \
--to=undertacker@areanetworking.it \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.