IPv6: unknown packet logged ...

IPv6: unknown packet logged ...

[Walter H.]

Hello,

I have these rules at the beginning of /etc/sysconfig/ip6tables

# Filter all packets with state INVALID
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

and on bottom these rules:

# Log all other
-A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7

which rule would have catched these logged packets:

[70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0
[70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
RES=0x00 ACK PSH URGP=0

Thanks,
Walter

Re: IPv6: unknown packet logged ...

[Mark Coetser]

On 22/08/2017 16:42, Walter H. wrote:
> Hello,
> 
> I have these rules at the beginning of /etc/sysconfig/ip6tables
> 
> # Filter all packets with state INVALID
> -A INPUT -m state --state INVALID -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> 
> and on bottom these rules:
> 
> # Log all other
> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
> 
> which rule would have catched these logged packets:
> 
> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
> RES=0x00 ACK PSH URGP=0
> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
> RES=0x00 ACK PSH URGP=0
> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
> RES=0x00 ACK PSH URGP=0

those logged packets are from packets traversing your filter FORWARD 
chain obviously no rule is matching which is why its triggering the last 
rule which is

-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7

Re: IPv6: unknown packet logged ...

[Walter H.]

On Tue, August 22, 2017 16:47, Mark Coetser wrote:
> On 22/08/2017 16:42, Walter H. wrote:
>> Hello,
>>
>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>
>> # Filter all packets with state INVALID
>> -A INPUT -m state --state INVALID -j DROP
>> -A FORWARD -m state --state INVALID -j DROP
>> -A OUTPUT -m state --state INVALID -j DROP
>>
>> and on bottom these rules:
>>
>> # Log all other
>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>
>> which rule would have catched these logged packets:
>>
>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>> RES=0x00 ACK PSH URGP=0
>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>> RES=0x00 ACK PSH URGP=0
>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>> RES=0x00 ACK PSH URGP=0
>
> those logged packets are from packets traversing your filter FORWARD
> chain obviously no rule is matching which is why its triggering the last
> rule which is
>
> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>
of course, and which rule would I have to add bevor this rule, so that
these are not logged ...?

Re: IPv6: unknown packet logged ...

[Mark Coetser]

On 22/08/2017 16:59, Walter H. wrote:
> On Tue, August 22, 2017 16:47, Mark Coetser wrote:
>> On 22/08/2017 16:42, Walter H. wrote:
>>> Hello,
>>>
>>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>>
>>> # Filter all packets with state INVALID
>>> -A INPUT -m state --state INVALID -j DROP
>>> -A FORWARD -m state --state INVALID -j DROP
>>> -A OUTPUT -m state --state INVALID -j DROP
>>>
>>> and on bottom these rules:
>>>
>>> # Log all other
>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>>
>>> which rule would have catched these logged packets:
>>>
>>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>> RES=0x00 ACK PSH URGP=0
>>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>> RES=0x00 ACK PSH URGP=0
>>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 TC=0
>>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>> RES=0x00 ACK PSH URGP=0
>>
>> those logged packets are from packets traversing your filter FORWARD
>> chain obviously no rule is matching which is why its triggering the last
>> rule which is
>>
>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>
> of course, and which rule would I have to add bevor this rule, so that
> these are not logged ...?

It depends on what you want to allow, if you want to allow all traffic 
between interface sit1 and br0

-I FORWARD -i sit1 -o br0 -j ACCEPT

although the logged packets above show the source port being tcp/443 
which means this connection came in br0 and out sit1 so you are probably 
missing an established/related rule.

Re: IPv6: unknown packet logged ...

[Walter H.]

[-- Attachment #1: Type: text/plain, Size: 2576 bytes --]

On 22.08.2017 17:08, Mark Coetser wrote:
> On 22/08/2017 16:59, Walter H. wrote:
>> On Tue, August 22, 2017 16:47, Mark Coetser wrote:
>>> On 22/08/2017 16:42, Walter H. wrote:
>>>> Hello,
>>>>
>>>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>>>
>>>> # Filter all packets with state INVALID
>>>> -A INPUT -m state --state INVALID -j DROP
>>>> -A FORWARD -m state --state INVALID -j DROP
>>>> -A OUTPUT -m state --state INVALID -j DROP
>>>>
>>>> and on bottom these rules:
>>>>
>>>> # Log all other
>>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>>>
>>>> which rule would have catched these logged packets:
>>>>
>>>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>> TC=0
>>>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>> RES=0x00 ACK PSH URGP=0
>>>
>>> those logged packets are from packets traversing your filter FORWARD
>>> chain obviously no rule is matching which is why its triggering the 
>>> last
>>> rule which is
>>>
>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>
>> of course, and which rule would I have to add bevor this rule, so that
>> these are not logged ...?
>
> It depends on what you want to allow, if you want to allow all traffic 
> between interface sit1 and br0
>
> -I FORWARD -i sit1 -o br0 -j ACCEPT
>
> although the logged packets above show the source port being tcp/443 
> which means this connection came in br0 and out sit1 so you are 
> probably missing an established/related rule. 
this rules are after dropping invalid and before logging

# Enable forwarding to IPv6-Tunnel interface
-A FORWARD -i br0 -o sit1 -j ACCEPT
# Enable established, related packets back through
-I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

so I have the problem, that I cannot really know, why these packets were 
logged ...



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3491 bytes --]

Re: IPv6: unknown packet logged ...

[Mark Coetser]

On 22/08/2017 17:36, Walter H. wrote:
> On 22.08.2017 17:08, Mark Coetser wrote:
>> On 22/08/2017 16:59, Walter H. wrote:
>>> On Tue, August 22, 2017 16:47, Mark Coetser wrote:
>>>> On 22/08/2017 16:42, Walter H. wrote:
>>>>> Hello,
>>>>>
>>>>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>>>>
>>>>> # Filter all packets with state INVALID
>>>>> -A INPUT -m state --state INVALID -j DROP
>>>>> -A FORWARD -m state --state INVALID -j DROP
>>>>> -A OUTPUT -m state --state INVALID -j DROP
>>>>>
>>>>> and on bottom these rules:
>>>>>
>>>>> # Log all other
>>>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>>>>
>>>>> which rule would have catched these logged packets:
>>>>>
>>>>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>>> TC=0
>>>>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>> RES=0x00 ACK PSH URGP=0
>>>>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>>> TC=0
>>>>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>> RES=0x00 ACK PSH URGP=0
>>>>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr LEN=123 
>>>>> TC=0
>>>>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>> RES=0x00 ACK PSH URGP=0
>>>>
>>>> those logged packets are from packets traversing your filter FORWARD
>>>> chain obviously no rule is matching which is why its triggering the 
>>>> last
>>>> rule which is
>>>>
>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>>
>>> of course, and which rule would I have to add bevor this rule, so that
>>> these are not logged ...?
>>
>> It depends on what you want to allow, if you want to allow all traffic 
>> between interface sit1 and br0
>>
>> -I FORWARD -i sit1 -o br0 -j ACCEPT
>>
>> although the logged packets above show the source port being tcp/443 
>> which means this connection came in br0 and out sit1 so you are 
>> probably missing an established/related rule. 
> this rules are after dropping invalid and before logging
> 
> # Enable forwarding to IPv6-Tunnel interface
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> # Enable established, related packets back through
> -I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> so I have the problem, that I cannot really know, why these packets were 
> logged ...
> 
> 

without seeing your whole ruleset its pretty hard to tell or at least 
see your filter forward rules as for the estabalished/related rule you 
dont have to specify the input/output interfaces

Re: IPv6: unknown packet logged ...

[Walter H.]

[-- Attachment #1: Type: text/plain, Size: 5813 bytes --]

On 22.08.2017 17:40, Mark Coetser wrote:
>
> On 22/08/2017 17:36, Walter H. wrote:
>> On 22.08.2017 17:08, Mark Coetser wrote:
>>> On 22/08/2017 16:59, Walter H. wrote:
>>>> On Tue, August 22, 2017 16:47, Mark Coetser wrote:
>>>>> On 22/08/2017 16:42, Walter H. wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have these rules at the beginning of /etc/sysconfig/ip6tables
>>>>>>
>>>>>> # Filter all packets with state INVALID
>>>>>> -A INPUT -m state --state INVALID -j DROP
>>>>>> -A FORWARD -m state --state INVALID -j DROP
>>>>>> -A OUTPUT -m state --state INVALID -j DROP
>>>>>>
>>>>>> and on bottom these rules:
>>>>>>
>>>>>> # Log all other
>>>>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
>>>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
>>>>>>
>>>>>> which rule would have catched these logged packets:
>>>>>>
>>>>>> [70223.386265] IPv6[FWD]: IN=sit1 OUT=br0
>>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr 
>>>>>> LEN=123 TC=0
>>>>>> HOPLIMIT=60 FLOWLBL=617912 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>>> RES=0x00 ACK PSH URGP=0
>>>>>> [70232.150311] IPv6[FWD]: IN=sit1 OUT=br0
>>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr 
>>>>>> LEN=123 TC=0
>>>>>> HOPLIMIT=60 FLOWLBL=949795 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>>> RES=0x00 ACK PSH URGP=0
>>>>>> [70249.740932] IPv6[FWD]: IN=sit1 OUT=br0
>>>>>> SRC=2a00:1450:4001:081a:0000:0000:0000:200e DST=myipv6addr 
>>>>>> LEN=123 TC=0
>>>>>> HOPLIMIT=60 FLOWLBL=811062 PROTO=TCP SPT=443 DPT=59073 WINDOW=1171
>>>>>> RES=0x00 ACK PSH URGP=0
>>>>>
>>>>> those logged packets are from packets traversing your filter FORWARD
>>>>> chain obviously no rule is matching which is why its triggering 
>>>>> the last
>>>>> rule which is
>>>>>
>>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
>>>>>
>>>> of course, and which rule would I have to add bevor this rule, so that
>>>> these are not logged ...?
>>>
>>> It depends on what you want to allow, if you want to allow all 
>>> traffic between interface sit1 and br0
>>>
>>> -I FORWARD -i sit1 -o br0 -j ACCEPT
>>>
>>> although the logged packets above show the source port being tcp/443 
>>> which means this connection came in br0 and out sit1 so you are 
>>> probably missing an established/related rule. 
>> this rules are after dropping invalid and before logging
>>
>> # Enable forwarding to IPv6-Tunnel interface
>> -A FORWARD -i br0 -o sit1 -j ACCEPT
>> # Enable established, related packets back through
>> -I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> so I have the problem, that I cannot really know, why these packets 
>> were logged ...
>>
>>
>
> without seeing your whole ruleset its pretty hard to tell or at least 
> see your filter forward rules as for the estabalished/related rule you 
> dont have to specify the input/output interfaces

ip6tables-save results in this:

# Generated by ip6tables-save v1.4.7 on Tue Aug 22 17:44:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [17:7812]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s myprefix::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p tcp -m tcp -m multiport 
--dports 546,547 -j ACCEPT
-A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p udp -m udp -m multiport 
--dports 546,547 -j ACCEPT
-A INPUT -i br0 -p ipv6-icmp -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
-A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
-A INPUT -i sit1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
-j ACCEPT
-A INPUT -i sit1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 5353 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 21 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 23 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 3128 -j DROP
-A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j LOG --log-prefix 
"IPv6[FWD-SMTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
COMMIT
# Completed on Tue Aug 22 17:44:04 2017

br0 is LAN port
sit1 is HE-tunnel port

Thanks,
Walter


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3491 bytes --]

Re: IPv6: unknown packet logged ...

[Mark Coetser]

On 22/08/2017 17:52, Walter H. wrote:
> ip6tables-save results in this:
> 
> # Generated by ip6tables-save v1.4.7 on Tue Aug 22 17:44:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [17:7812]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s myprefix::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p tcp -m tcp -m multiport 
> --dports 546,547 -j ACCEPT
> -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p udp -m udp -m multiport 
> --dports 546,547 -j ACCEPT
> -A INPUT -i br0 -p ipv6-icmp -j ACCEPT
> -A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
> ACCEPT
> -A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
> -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
> -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT
> -A INPUT -i sit1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
> -j ACCEPT
> -A INPUT -i sit1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -p udp -m udp --dport 5353 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 21 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 22 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 23 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP
> -A INPUT -i sit1 -p tcp -m tcp --dport 3128 -j DROP
> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7
> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m rt --rt-type 0 -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT
> -A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j LOG --log-prefix 
> "IPv6[FWD-SMTP(out)]: " --log-level 7
> -A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j DROP
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7
> -A OUTPUT -m rt --rt-type 0 -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> -A OUTPUT -s fe80::/10 -j ACCEPT
> -A OUTPUT -d ff00::/8 -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o sit1 -j ACCEPT
> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7
> COMMIT
> # Completed on Tue Aug 22 17:44:04 2017
> 
> br0 is LAN port
> sit1 is HE-tunnel port
> 
> Thanks,
> Walter
> 

Looks fine to me, unless conntrack isnt picking those packets up as 
established/related to the initial connection.