problem with applying a state match rules for ipv6 connections

problem with applying a state match rules for ipv6 connections

[Undertacker]

Dear All
I have some problem with applying a state match rules for ipv6 connections.

I’m using a debian unstable with 2.6.16-rc4 kernel.
This is my ipv6 configuration:(/etc/network/interfaces)

auto btexact00
iface btexact00 inet6 v4tunnel
address 2001:618:400:c23b:ffff:ffff:ffff:ffff
netmask 128
gateway fe80::d579:1855
endpoint 213.121.24.85
local 85.88.200.10
ttl 254
ipv6 allocation is 2001:618:400:c23b::/64
for now I’m using only a btexact00 interface for ipv6 output to internet.
there is also a second interface eth1 for LAN distribution of ipv6 support.

It is not long that I’m using a linux ( just about 6 months) so please 
forgive me if I done some stupid configuration.

this is my ip6tables configuration:
cat /etc/iptables.conf/ip6tables-roule.conf
# Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
*filter
:INPUT DROP [188:18904]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:728]
:btexact00_in - [0:0]
:btexact00_out - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
-A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in
-A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in
-A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out
-A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out
-A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
-A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j 
ACCEPT
COMMIT
# Completed on Thu Feb 23 10:55:57 2006
# Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
*mangle
:PREROUTING ACCEPT [195:19632]
:INPUT ACCEPT [195:19632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [195:19784]
:POSTROUTING ACCEPT [186:19056]
COMMIT
# Completed on Thu Feb 23 10:55:57 2006


finaly I came to my question:
for some kind of reason the roule:
-A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
don’t match that king of traffic.
(if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0 
-j LOG" log output all the traffic)
I was tray several times to reconfigure all ip6tables supposing that 
this was an configuration problem , but the configuration to me seems ok.
Please can you help me?
Best Regards
Undertacker

P.S.
I’m so sorry for my English, I hope you understand this mail.

Problem with applying a state match rules for ipv6 connections

[Undertacker]

Dear All
I have some problem with applying a state match rules for ipv6 connections.

I’m using a debian unstable with 2.6.16-rc4 kernel.
This is my ipv6 configuration:(/etc/network/interfaces)

auto btexact00
iface btexact00 inet6 v4tunnel
address 2001:618:400:c23b:ffff:ffff:ffff:ffff
netmask 128
gateway fe80::d579:1855
endpoint 213.121.24.85
local 85.88.200.10
ttl 254
ipv6 allocation is 2001:618:400:c23b::/64
for now I’m using only a btexact00 interface for ipv6 output to internet.
there is also a second interface eth1 for LAN distribution of ipv6 support.

It is not long that I’m using a linux ( just about 6 months) so please
forgive me if I done some stupid configuration.

this is my ip6tables configuration:
cat /etc/iptables.conf/ip6tables-roule.conf
# Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
*filter
:INPUT DROP [188:18904]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:728]
:btexact00_in - [0:0]
:btexact00_out - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
-A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in
-A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in
-A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out
-A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out
-A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j
ACCEPT
COMMIT
# Completed on Thu Feb 23 10:55:57 2006
# Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
*mangle
:PREROUTING ACCEPT [195:19632]
:INPUT ACCEPT [195:19632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [195:19784]
:POSTROUTING ACCEPT [186:19056]
COMMIT
# Completed on Thu Feb 23 10:55:57 2006


finaly I came to my question:
for some kind of reason the roule:
-A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
don’t match that king of traffic.
(if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0
-j LOG" log output all the traffic)
I was tray several times to reconfigure all ip6tables supposing that
this was an configuration problem , but the configuration to me seems ok.
Please can you help me?
Best Regards
Undertacker

P.S.
I’m so sorry for my English, I hope you understand this mail.

Re: problem with applying a state match rules for ipv6 connections

[Yasuyuki KOZAKAI]

Hi,

From: Undertacker <undertacker@areanetworking.it>
Date: Thu, 23 Feb 2006 11:11:00 +0100

> Dear All
> I have some problem with applying a state match rules for ipv6 connections.
> 
> I¢m using a debian unstable with 2.6.16-rc4 kernel.
> This is my ipv6 configuration:(/etc/network/interfaces)
> 
> auto btexact00
> iface btexact00 inet6 v4tunnel
> address 2001:618:400:c23b:ffff:ffff:ffff:ffff
> netmask 128
> gateway fe80::d579:1855
> endpoint 213.121.24.85
> local 85.88.200.10
> ttl 254
> ipv6 allocation is 2001:618:400:c23b::/64
> for now I¢m using only a btexact00 interface for ipv6 output to internet.
> there is also a second interface eth1 for LAN distribution of ipv6
> support.

Sorry I'm not familiar with debian, but this box is router, isn't this ?

> It is not long that I¢m using a linux ( just about 6 months) so please 
> forgive me if I done some stupid configuration.
> 
> this is my ip6tables configuration:
> cat /etc/iptables.conf/ip6tables-roule.conf
> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
> *filter
> :INPUT DROP [188:18904]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [9:728]
> :btexact00_in - [0:0]
> :btexact00_out - [0:0]
> :eth1_in - [0:0]
> :eth1_out - [0:0]
> -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in
> -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in
> -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out
> -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out
> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
> ACCEPT
> -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j 
> ACCEPT
> COMMIT
> # Completed on Thu Feb 23 10:55:57 2006
> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
> *mangle
> :PREROUTING ACCEPT [195:19632]
> :INPUT ACCEPT [195:19632]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [195:19784]
> :POSTROUTING ACCEPT [186:19056]
> COMMIT
> # Completed on Thu Feb 23 10:55:57 2006

At first, this configuration will cause to drop ICMPv6 packets for
address autoconfiguration in your LAN if you run radvd on this box.

> finaly I came to my question:
> for some kind of reason the roule:
> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
> ACCEPT
> don¢t match that king of traffic.
> (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0 
> -j LOG" log output all the traffic)

If this box is router and you want to use state match for forwareded
packets, you need to configure FORWARD chain.

And please "modprobe nf_conntrack_ipv6" manually. For some reason, it isn't
auto-loaded and we have to defer to improve this until 2.6.17.

> I was tray several times to reconfigure all ip6tables supposing that 
> this was an configuration problem , but the configuration to me seems ok.
> Please can you help me?
> Best Regards
> Undertacker
> 
> P.S.
> I¢m so sorry for my English, I hope you understand this mail.

-- Yasuyuki Kozakai

Re: problem with applying a state match rules for ipv6 connections

[Undertacker]

Yasuyuki KOZAKAI ha scritto:
> Hi,
>
> From: Undertacker <undertacker@areanetworking.it>
> Date: Thu, 23 Feb 2006 11:11:00 +0100
>
>   
>> Dear All
>> I have some problem with applying a state match rules for ipv6 connections.
>>
>> I’m using a debian unstable with 2.6.16-rc4 kernel.
>> This is my ipv6 configuration:(/etc/network/interfaces)
>>
>> auto btexact00
>> iface btexact00 inet6 v4tunnel
>> address 2001:618:400:c23b:ffff:ffff:ffff:ffff
>> netmask 128
>> gateway fe80::d579:1855
>> endpoint 213.121.24.85
>> local 85.88.200.10
>> ttl 254
>> ipv6 allocation is 2001:618:400:c23b::/64
>> for now I’m using only a btexact00 interface for ipv6 output to internet.
>> there is also a second interface eth1 for LAN distribution of ipv6
>> support.
>>     
>
> Sorry I'm not familiar with debian, but this box is router, isn't this ?
>   
Uh… many people consider a router anything that making a connections…..
If you mean that, may answer is positive.
If you mean that the router is dedicated network hardware for management 
of networking solutions, my answer is no.
This is a PC Intel based architecture wit Linux operation system 3 
network interface card.
http://www.debian.org/
Debian uses the Linux kernel (the core of an operating system), but most 
of the basic OS tools come from the GNU project; hence the name GNU/Linux..
>   
>> It is not long that I’m using a linux ( just about 6 months) so please 
>> forgive me if I done some stupid configuration.
>>
>> this is my ip6tables configuration:
>> cat /etc/iptables.conf/ip6tables-roule.conf
>> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
>> *filter
>> :INPUT DROP [188:18904]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [9:728]
>> :btexact00_in - [0:0]
>> :btexact00_out - [0:0]
>> :eth1_in - [0:0]
>> :eth1_out - [0:0]
>> -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in
>> -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in
>> -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out
>> -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out
>> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
>> ACCEPT
>> -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 -j 
>> ACCEPT
>> COMMIT
>> # Completed on Thu Feb 23 10:55:57 2006
>> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006
>> *mangle
>> :PREROUTING ACCEPT [195:19632]
>> :INPUT ACCEPT [195:19632]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [195:19784]
>> :POSTROUTING ACCEPT [186:19056]
>> COMMIT
>> # Completed on Thu Feb 23 10:55:57 2006
>>     
>
> At first, this configuration will cause to drop ICMPv6 packets for
> address autoconfiguration in your LAN if you run radvd on this box.
>   
I suppose that.
But my intention for now is: use ipv6 directly from that machine, not 
from the LAN
(I’ also don’t like the auto configuration of anything, so the network 
connection I usually set manually)
>   
>> finaly I came to my question:
>> for some kind of reason the roule:
>> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j 
>> ACCEPT
>> don’t match that king of traffic.
>> (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::/0 
>> -j LOG" log output all the traffic)
>>     
>
> If this box is router and you want to use state match for forwareded
> packets, you need to configure FORWARD chain.
>
> And please "modprobe nf_conntrack_ipv6" manually. For some reason, it isn't
> auto-loaded and we have to defer to improve this until 2.6.17.
>   
UH.......
I' think that i have some king big problems because I can’t find
”nf_conntrack_ipv6”
hole:~# modprobe nf_conntrack_ipv6
FATAL: Module nf_conntrack_ipv6 not found.
hole:~# modprobe nf
nfnetlink nfnetlink_log nfnetlink_queue nfs nfsd nftl
But I’m quiet shure the I’select this kind of option in kernel 
compilation as M (module), if this is a right place to select it.
If you have some suggestion how to solve?
>   
>> I was tray several times to reconfigure all ip6tables supposing that 
>> this was an configuration problem , but the configuration to me seems ok.
>> Please can you help me?
>> Best Regards
>> Undertacker
>>
>> P.S.
>> I’m so sorry for my English, I hope you understand this mail.
>>     
>
> -- Yasuyuki Kozakai
>   
Thank you so much for answering me, as you see I’m not so expert in this…
Quoting a REM Lyrics - Losing My Religion.....
I'm Losing My Modules……
Best Regards Undertacker