Re: IPv6: unknown packet logged ...

["Walter H." <Walter.H@mathemainzel.info>]

[-- Attachment #1: Type: text/plain, Size: 2576 bytes --]

On 22.08.2017 17:08, Mark Coetser wrote:
> On 22/08/2017 16:59, Walter H. wrote:
>> On Tue, August 22, 2017 16:47, Mark Coetser wrote:
>>> On 22/08/2017 16:42, Walter H. wrote:
>>>> Hello,
>>>>
>>>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>>>
>>>> # Filter all packets with state INVALID
>>>> -A INPUT -m state --state INVALID -j DROP
>>>> -A FORWARD -m state --state INVALID -j DROP
>>>> -A OUTPUT -m state --state INVALID -j DROP
>>>>
>>>> and on bottom these rules:
>>>>
>>>> # Log all other
>>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>>>
>>>> which rule would have catched these logged packets:
>>>>
>>>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>
>>> those logged packets are from packets traversing your filter FORWARD
>>> chain obviously no rule is matching which is why its triggering the 
>>> last
>>> rule which is
>>>
>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>
>> of course, and which rule would I have to add bevor this rule, so that
>> these are not logged ...?
>
> It depends on what you want to allow, if you want to allow all traffic 
> between interface sit1 and br0
>
> -I FORWARD -i sit1 -o br0 -j ACCEPT
>
> although the logged packets above show the source port being tcp/443 
> which means this connection came in br0 and out sit1 so you are 
> probably missing an established/related rule. 
this rules are after dropping invalid and before logging

# Enable forwarding to IPv6-Tunnel interface
-A FORWARD -i br0 -o sit1 -j ACCEPT
# Enable established, related packets back through
-I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

so I have the problem, that I cannot really know, why these packets were 
logged ...



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3491 bytes --]