From mboxrd@z Thu Jan 1 00:00:00 1970 From: Undertacker Subject: Re: problem with applying a state match rules for ipv6 connections Date: Mon, 27 Feb 2006 17:45:06 +0100 Message-ID: <44032C92.5000101@areanetworking.it> References: <43FD8A34.8090605@areanetworking.it> <200602260517.k1Q5HkIF022830@toshiba.co.jp> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200602260517.k1Q5HkIF022830@toshiba.co.jp> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="utf-8"; format="flowed" To: netfilter@lists.netfilter.org Yasuyuki KOZAKAI ha scritto: > Hi, > > From: Undertacker > Date: Thu, 23 Feb 2006 11:11:00 +0100 > > =20 >> Dear All >> I have some problem with applying a state match rules for ipv6 connect= ions. >> >> I=E2=80=99m using a debian unstable with 2.6.16-rc4 kernel. >> This is my ipv6 configuration:(/etc/network/interfaces) >> >> auto btexact00 >> iface btexact00 inet6 v4tunnel >> address 2001:618:400:c23b:ffff:ffff:ffff:ffff >> netmask 128 >> gateway fe80::d579:1855 >> endpoint 213.121.24.85 >> local 85.88.200.10 >> ttl 254 >> ipv6 allocation is 2001:618:400:c23b::/64 >> for now I=E2=80=99m using only a btexact00 interface for ipv6 output t= o internet. >> there is also a second interface eth1 for LAN distribution of ipv6 >> support. >> =20 > > Sorry I'm not familiar with debian, but this box is router, isn't this = ? > =20 Uh=E2=80=A6 many people consider a router anything that making a connecti= ons=E2=80=A6.. If you mean that, may answer is positive. If you mean that the router is dedicated network hardware for management=20 of networking solutions, my answer is no. This is a PC Intel based architecture wit Linux operation system 3=20 network interface card. http://www.debian.org/ Debian uses the Linux kernel (the core of an operating system), but most=20 of the basic OS tools come from the GNU project; hence the name GNU/Linux= .. > =20 >> It is not long that I=E2=80=99m using a linux ( just about 6 months) s= o please=20 >> forgive me if I done some stupid configuration. >> >> this is my ip6tables configuration: >> cat /etc/iptables.conf/ip6tables-roule.conf >> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 >> *filter >> :INPUT DROP [188:18904] >> :FORWARD DROP [0:0] >> :OUTPUT DROP [9:728] >> :btexact00_in - [0:0] >> :btexact00_out - [0:0] >> :eth1_in - [0:0] >> :eth1_out - [0:0] >> -A INPUT -s ::/0 -d ::/0 -i eth1 -j eth1_in >> -A INPUT -s ::/0 -d ::/0 -i btexact00 -j btexact00_in >> -A OUTPUT -s ::/0 -d ::/0 -o btexact00 -j btexact00_out >> -A OUTPUT -s ::/0 -d ::/0 -o eth1 -j eth1_out >> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -= j=20 >> ACCEPT >> -A btexact00_out -s 2001:618:400:c23b:ffff:ffff:ffff:ffff/128 -d ::/0 = -j=20 >> ACCEPT >> COMMIT >> # Completed on Thu Feb 23 10:55:57 2006 >> # Generated by ip6tables-save v1.3.5 on Thu Feb 23 10:55:57 2006 >> *mangle >> :PREROUTING ACCEPT [195:19632] >> :INPUT ACCEPT [195:19632] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [195:19784] >> :POSTROUTING ACCEPT [186:19056] >> COMMIT >> # Completed on Thu Feb 23 10:55:57 2006 >> =20 > > At first, this configuration will cause to drop ICMPv6 packets for > address autoconfiguration in your LAN if you run radvd on this box. > =20 I suppose that. But my intention for now is: use ipv6 directly from that machine, not=20 from the LAN (I=E2=80=99 also don=E2=80=99t like the auto configuration of anything, s= o the network=20 connection I usually set manually) > =20 >> finaly I came to my question: >> for some kind of reason the roule: >> -A btexact00_in -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -= j=20 >> ACCEPT >> don=E2=80=99t match that king of traffic. >> (if i add this roule after the up one : "-A btexact00_in -s ::/0 -d ::= /0=20 >> -j LOG" log output all the traffic) >> =20 > > If this box is router and you want to use state match for forwareded > packets, you need to configure FORWARD chain. > > And please "modprobe nf_conntrack_ipv6" manually. For some reason, it i= sn't > auto-loaded and we have to defer to improve this until 2.6.17. > =20 UH....... I' think that i have some king big problems because I can=E2=80=99t find =E2=80=9Dnf_conntrack_ipv6=E2=80=9D hole:~# modprobe nf_conntrack_ipv6 FATAL: Module nf_conntrack_ipv6 not found. hole:~# modprobe nf nfnetlink nfnetlink_log nfnetlink_queue nfs nfsd nftl But I=E2=80=99m quiet shure the I=E2=80=99select this kind of option in k= ernel=20 compilation as M (module), if this is a right place to select it. If you have some suggestion how to solve? > =20 >> I was tray several times to reconfigure all ip6tables supposing that=20 >> this was an configuration problem , but the configuration to me seems = ok. >> Please can you help me? >> Best Regards >> Undertacker >> >> P.S. >> I=E2=80=99m so sorry for my English, I hope you understand this mail. >> =20 > > -- Yasuyuki Kozakai > =20 Thank you so much for answering me, as you see I=E2=80=99m not so expert = in this=E2=80=A6 Quoting a REM Lyrics - Losing My Religion..... I'm Losing My Modules=E2=80=A6=E2=80=A6 Best Regards Undertacker