ipv6 rule icmp bug maybe

Linux Netfilter discussions
 help / color / mirror / Atom feed

* ipv6 rule icmp bug maybe
@ 2013-04-04  0:02 Nick Edwards
  2013-04-04  5:50 ` Michal Kubeček
  0 siblings, 1 reply; 5+ messages in thread
From: Nick Edwards @ 2013-04-04  0:02 UTC (permalink / raw)
  To: netfilter

Hi,

Wondering if this is by design, or  bug

with ipv4 we have been able to
-P INPUT DROP
loopback accepts etc...

-A INPUT -s 192.168.1.0/24 -j ACCEPT

hitting this, means allow all from 192.168.1.1/2/3/4.... etc  - tcp.
udp. icmp whatever..

But with ip6tables this same approach does not seem to work, it
permits tcp/udp, but it does not allow icmp, bug?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipv6 rule icmp bug maybe
  2013-04-04  0:02 ipv6 rule icmp bug maybe Nick Edwards
@ 2013-04-04  5:50 ` Michal Kubeček
  2013-04-04  7:13   ` Nick Edwards
  0 siblings, 1 reply; 5+ messages in thread
From: Michal Kubeček @ 2013-04-04  5:50 UTC (permalink / raw)
  To: netfilter; +Cc: Nick Edwards

On Thursday 04 of April 2013 10:02EN, Nick Edwards wrote:
> with ipv4 we have been able to
> -P INPUT DROP
> loopback accepts etc...
> 
> -A INPUT -s 192.168.1.0/24 -j ACCEPT
> 
> hitting this, means allow all from 192.168.1.1/2/3/4.... etc  - tcp.
> udp. icmp whatever..
> 
> But with ip6tables this same approach does not seem to work, it
> permits tcp/udp, but it does not allow icmp, bug?

Hard to say unless you tell us what do your rules look like and what 
packets are dropped (and you think they shouldn't be).

                                                      Michal Kubecek


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipv6 rule icmp bug maybe
  2013-04-04  5:50 ` Michal Kubeček
@ 2013-04-04  7:13   ` Nick Edwards
  2013-04-04  7:16     ` Nick Edwards
  2013-04-07  9:15     ` Pascal Hambourg
  0 siblings, 2 replies; 5+ messages in thread
From: Nick Edwards @ 2013-04-04  7:13 UTC (permalink / raw)
  To: mkubecek; +Cc: netfilter

On 4/4/13, Michal Kubeƒçek <mkubecek@suse.cz> wrote:
>
>
> Hard to say unless you tell us what do your rules look like and what
> packets are dropped (and you think they shouldn't be).

ok, copy and paste with  only minor munging


#!/bin/sh
/usr/sbin/iptables -F
/usr/sbin/ip6tables -F

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/ip6tables -P INPUT DROP

/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -P OUTPUT ACCEPT

/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/ip6tables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT

/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 178.x.x.x/24 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -s 2001:c01d:c01d:beef::0/64 -j ACCEPT

/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


I can reach this machine from 178.x.x.x as normal. I can ssh in, and ping it

however, when I come from the ipv6 range, I can ssh in, but I can not ping it.

There are no other conditions in play on this remote machine, what you
see is what is there
So I dont get why when  _range_ ACCEPT works for all protocols on
ipv4, but it doesnt with ipv6

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipv6 rule icmp bug maybe
  2013-04-04  7:13   ` Nick Edwards
@ 2013-04-04  7:16     ` Nick Edwards
  2013-04-07  9:15     ` Pascal Hambourg
  1 sibling, 0 replies; 5+ messages in thread
From: Nick Edwards @ 2013-04-04  7:16 UTC (permalink / raw)
  To: mkubecek; +Cc: netfilter

Darnit, forgot to mention, that if I change policy to accept, I can
ping it on ipv6, so there is no upstream tampering.


On 4/4/13, Nick Edwards <nick.z.edwards@gmail.com> wrote:
> On 4/4/13, Michal Kubeƒçek <mkubecek@suse.cz> wrote:
>>
>>
>> Hard to say unless you tell us what do your rules look like and what
>> packets are dropped (and you think they shouldn't be).
>
> ok, copy and paste with  only minor munging
>
>
> #!/bin/sh
> /usr/sbin/iptables -F
> /usr/sbin/ip6tables -F
>
> /usr/sbin/iptables -P INPUT DROP
> /usr/sbin/ip6tables -P INPUT DROP
>
> /usr/sbin/iptables -P OUTPUT ACCEPT
> /usr/sbin/ip6tables -P OUTPUT ACCEPT
>
> /usr/sbin/iptables -P FORWARD DROP
> /usr/sbin/ip6tables -P FORWARD DROP
>
> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT
>
> /usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
> /usr/sbin/iptables -A INPUT -s 178.x.x.x/24 -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -s 2001:c01d:c01d:beef::0/64 -j ACCEPT
>
> /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> I can reach this machine from 178.x.x.x as normal. I can ssh in, and ping
> it
>
> however, when I come from the ipv6 range, I can ssh in, but I can not ping
> it.
>
> There are no other conditions in play on this remote machine, what you
> see is what is there
> So I dont get why when  _range_ ACCEPT works for all protocols on
> ipv4, but it doesnt with ipv6
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipv6 rule icmp bug maybe
  2013-04-04  7:13   ` Nick Edwards
  2013-04-04  7:16     ` Nick Edwards
@ 2013-04-07  9:15     ` Pascal Hambourg
  1 sibling, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2013-04-07  9:15 UTC (permalink / raw)
  To: netfilter

Hello,

Nick Edwards a écrit :
> 
> /usr/sbin/ip6tables -A INPUT -s fe80::/10 -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -d ff00::/8 -j ACCEPT
> 
> /usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
> /usr/sbin/iptables -A INPUT -s 178.x.x.x/24 -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -s 2001:c01d:c01d:beef::0/64 -j ACCEPT
> 
> /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If the network interface is of ethernet type, you should allow ICMPv6
types neighbour solicitation and neighbour advertisement. They replace
ARP requests and replies for IPv6.

> however, when I come from the ipv6 range, I can ssh in, but I can not ping it.

What do you mean by "can not ping" ? What happens exactly ? Have you
done a packet capture on both ends to see what happens at the network
layer ?

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-04-07  9:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-04  0:02 ipv6 rule icmp bug maybe Nick Edwards
2013-04-04  5:50 ` Michal Kubeček
2013-04-04  7:13   ` Nick Edwards
2013-04-04  7:16     ` Nick Edwards
2013-04-07  9:15     ` Pascal Hambourg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox