From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Walter H." Subject: Re: IPv6: unknown packet logged ... Date: Tue, 22 Aug 2017 17:52:49 +0200 Message-ID: <599C5351.6010906@mathemainzel.info> References: <3c69b7a5-7e01-de66-02be-acd6029be63a@pkfnet.co.za> <2209fd5722f46870a684a9f6604fd12e.1503413970@squirrel.mail> <5d75f004-0072-7e6a-f098-c20f8364ee05@pkfnet.co.za> <599C4F65.8080906@mathemainzel.info> <287d31fb-3e70-0b44-523d-e93b9807d884@pkfnet.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060704070404020705040608" Return-path: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=jkWkIk2w0vIz6T9dvk2uiFgLLig2D1A6+dHbYTx1YIg=; b=xVL7LKZtOONwB8JpEZ2qaz6Jyp7+By2HR4Vra+X4AIaXp5vMCr/idfvdV3CBDslvlgL6jn8dZtWAcnBzvuJGnoikHGlaoYV6IlZEDtuXENQ+LOJmnEq4rhlgCSrSHe+M6dFkehXd8CfOgOw8iN4eGIv310JoJt30rxxvTaKYUoM=; In-Reply-To: <287d31fb-3e70-0b44-523d-e93b9807d884@pkfnet.co.za> Sender: netfilter-owner@vger.kernel.org List-ID: To: Mark Coetser Cc: netfilter@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms060704070404020705040608 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 22.08.2017 17:40, Mark Coetser wrote: > > On 22/08/2017 17:36, Walter H. wrote: >> On 22.08.2017 17:08, Mark Coetser wrote: >>> On 22/08/2017 16:59, Walter H. wrote: >>>> On Tue, August 22, 2017 16:47, Mark Coetser wrote: >>>>> On 22/08/2017 16:42, Walter H. wrote: >>>>>> Hello, >>>>>> >>>>>> I have these rules at the beginning of /etc/sysconfig/ip6tables >>>>>> >>>>>> # Filter all packets with state INVALID >>>>>> -A INPUT -m state --state INVALID -j DROP >>>>>> -A FORWARD -m state --state INVALID -j DROP >>>>>> -A OUTPUT -m state --state INVALID -j DROP >>>>>> >>>>>> and on bottom these rules: >>>>>> >>>>>> # Log all other >>>>>> -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7 >>>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 >>>>>> -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7 >>>>>> >>>>>> which rule would have catched these logged packets: >>>>>> >>>>>> [70223.386265] IPv6[FWD]: IN=3Dsit1 OUT=3Dbr0 >>>>>> SRC=3D2a00:1450:4001:081a:0000:0000:0000:200e DST=3Dmyipv6addr=20 >>>>>> LEN=3D123 TC=3D0 >>>>>> HOPLIMIT=3D60 FLOWLBL=3D617912 PROTO=3DTCP SPT=3D443 DPT=3D59073 W= INDOW=3D1171 >>>>>> RES=3D0x00 ACK PSH URGP=3D0 >>>>>> [70232.150311] IPv6[FWD]: IN=3Dsit1 OUT=3Dbr0 >>>>>> SRC=3D2a00:1450:4001:081a:0000:0000:0000:200e DST=3Dmyipv6addr=20 >>>>>> LEN=3D123 TC=3D0 >>>>>> HOPLIMIT=3D60 FLOWLBL=3D949795 PROTO=3DTCP SPT=3D443 DPT=3D59073 W= INDOW=3D1171 >>>>>> RES=3D0x00 ACK PSH URGP=3D0 >>>>>> [70249.740932] IPv6[FWD]: IN=3Dsit1 OUT=3Dbr0 >>>>>> SRC=3D2a00:1450:4001:081a:0000:0000:0000:200e DST=3Dmyipv6addr=20 >>>>>> LEN=3D123 TC=3D0 >>>>>> HOPLIMIT=3D60 FLOWLBL=3D811062 PROTO=3DTCP SPT=3D443 DPT=3D59073 W= INDOW=3D1171 >>>>>> RES=3D0x00 ACK PSH URGP=3D0 >>>>> >>>>> those logged packets are from packets traversing your filter FORWAR= D >>>>> chain obviously no rule is matching which is why its triggering=20 >>>>> the last >>>>> rule which is >>>>> >>>>> -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 >>>>> >>>> of course, and which rule would I have to add bevor this rule, so th= at >>>> these are not logged ...? >>> >>> It depends on what you want to allow, if you want to allow all=20 >>> traffic between interface sit1 and br0 >>> >>> -I FORWARD -i sit1 -o br0 -j ACCEPT >>> >>> although the logged packets above show the source port being tcp/443 = >>> which means this connection came in br0 and out sit1 so you are=20 >>> probably missing an established/related rule.=20 >> this rules are after dropping invalid and before logging >> >> # Enable forwarding to IPv6-Tunnel interface >> -A FORWARD -i br0 -o sit1 -j ACCEPT >> # Enable established, related packets back through >> -I FORWARD -i sit1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCE= PT >> >> so I have the problem, that I cannot really know, why these packets=20 >> were logged ... >> >> > > without seeing your whole ruleset its pretty hard to tell or at least=20 > see your filter forward rules as for the estabalished/related rule you = > dont have to specify the input/output interfaces ip6tables-save results in this: # Generated by ip6tables-save v1.4.7 on Tue Aug 22 17:44:04 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [17:7812] :OUTPUT DROP [0:0] -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s myprefix::/64 -d fe80::/10 -i br0 -j ACCEPT -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p tcp -m tcp -m multiport = --dports 546,547 -j ACCEPT -A INPUT -s fe80::/10 -d ff02::1:2/128 -i br0 -p udp -m udp -m multiport = --dports 546,547 -j ACCEPT -A INPUT -i br0 -p ipv6-icmp -j ACCEPT -A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j = ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT= -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT -A INPUT -i sit1 -p ipv6-icmp -j ACCEPT -A INPUT -i sit1 -p udp -m udp --sport 32769:65535 --dport 33434:33523=20 -j ACCEPT -A INPUT -i sit1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 5353 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 21 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 22 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 23 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP -A INPUT -i sit1 -p tcp -m tcp --dport 3128 -j DROP -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level 7 -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j LOG --log-prefix=20 "IPv6[FWD-SMTP(out)]: " --log-level 7 -A FORWARD -i br0 -o sit1 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i br0 -o sit1 -j ACCEPT -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level 7 -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o sit1 -j ACCEPT -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level 7 COMMIT # Completed on Tue Aug 22 17:44:04 2017 br0 is LAN port sit1 is HE-tunnel port Thanks, Walter --------------ms060704070404020705040608 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKBDCC BOgwggPQoAMCAQICDkgbagkTvYAkyl0i8BTzMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsT F0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD EwpHbG9iYWxTaWduMB4XDTE2MDYxNTAwMDAwMFoXDTI0MDYxNTAwMDAwMFowXTELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2JhbFNpZ24g UGVyc29uYWxTaWduIDIgQ0EgLSBTSEEyNTYgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALaWaJNl/SwB7GKjDVS/i8ukQ5Gimq+xg/K1bW/Z8OrczxZ71xnjhAOF+cYf cI8fbEnFaRkecJE4NX4CSF05axhEpmqlyHT0XfWEPmMfcUSCCD7tyaf26W4mQSmAyUm6/9l2 oKO7G/Z530so00p7nFHCD2VQoZ+oSp3lRgSNg0/cssg9z5ghCZhMwPGPeqk/NyZlR9hmj0km wsNAvmY9bP86rSlG8BOc4fLrmaeLwtNfUG2iDm/HBpc4L06hjkcCtIMA2KTjukEHYOXdN1ry B8E7p5yXaC6376lINrzpaaiZqkfpx/ZR0vmxLLbFSbWYnlNT2vty83wP+HE+1wP6Z8MCAwEA AaOCAbUwggGxMA4GA1UdDwEB/wQEAwIBBjBqBgNVHSUEYzBhBggrBgEFBQcDAgYIKwYBBQUH AwQGCCsGAQUFBwMJBgorBgEEAYI3FAICBgorBgEEAYI3CgMEBgkrBgEEAYI3FQYGCisGAQQB gjcKAwwGCCsGAQUFBwMHBggrBgEFBQcDETASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW BBRpcoJiMWeVRIV3kYDEBDZJnXsLYTAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0b vDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu LmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9yb290LXIzLmNybDBnBgNVHSAEYDBeMAsGCSsGAQQBoDIBKDAMBgorBgEEAaAyASgKMEEG CSsGAQQBoDIBXzA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9y ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAqJ3NMsx8Z+ILUNelXHCjZuIl7+q0tlMw bocSN1wz4sIoVuOTvUWV81jYFXFM8+SCiRS+/qXMR73rBlSCPua/vvXqiPV5xCgiC4x69g4L 4yquSZoOm8In8my2G1VKAbYZ4WhQdFi8EkUYT67eXhsTMOdVJjSAov4UigSrB4RhUhGiUAC2 cuBy9BFnbhOiC2AI1+gUl0Q7RxXlD3XW+On+R3+a8yExi7J/QSKaDla4EvO/DuCZ31FkItvc gX5++R2o4nxbzwvrqp/q3FZ766S4LCzmBv+uJFl/xUR/PpoVXvpnEl98bFKXMSvavby01ba6 FP8iVJhAuDnB+XULGxwaozCCBRQwggP8oAMCAQICDDf7Me/cd27Vi+FlDzANBgkqhkiG9w0B AQsFADBdMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UE AxMqR2xvYmFsU2lnbiBQZXJzb25hbFNpZ24gMiBDQSAtIFNIQTI1NiAtIEczMB4XDTE3MDQy NDEwNDQxOFoXDTIwMDQyNDEwNDQxOFowVTELMAkGA1UEBhMCQVQxGzAZBgNVBAMTEldhbHRl ciBIb2VobGh1Ym1lcjEpMCcGCSqGSIb3DQEJARYad2FsdGVyLmhAbWF0aGVtYWluemVsLmlu Zm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDROn0wc2eBzHcRoKiSnUFz1H4T SN5QEKhssd+B8F0YMDxEzXyvnOeCLAN+8+ui/fyZ0g1A8qgWIGkerNeJJgVes9Xf5EpemE5b zksNPIoVQVB7sBfWezlJ6E12FUNssdLdcQlVqNtFnHtfZV0SD0BS87mW5GL75Ay8XpSkwwTV 6XpIAcKRyd7EFCw+7g2Udp/ZAjPZ4X7oZl8sFFlOClPvWu8LCjbnDcWHpE93QeXnmMx86LQg tACrTy1PDX0yAOeCTan6F3sX0tz5Cp8sWduQiMaKof8yxW/t2V7BJwXhZhiDhax3y/AFREOH NC5dJ2w1sFiwidK7sljogU7/orGHAgMBAAGjggHaMIIB1jAOBgNVHQ8BAf8EBAMCBaAwgZ4G CCsGAQUFBwEBBIGRMIGOME0GCCsGAQUFBzAChkFodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24u Y29tL2NhY2VydC9nc3BlcnNvbmFsc2lnbjJzaGEyZzNvY3NwLmNydDA9BggrBgEFBQcwAYYx aHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzcGVyc29uYWxzaWduMnNoYTJnMzBMBgNV HSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxz aWduLmNvbS9yZXBvc2l0b3J5LzAJBgNVHRMEAjAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6 Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24yc2hhMmczLmNybDAlBgNVHREE HjAcgRp3YWx0ZXIuaEBtYXRoZW1haW56ZWwuaW5mbzAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwHQYDVR0OBBYEFOQybe9sZCmROEwJqrOUU1qsTrgqMB8GA1UdIwQYMBaAFGly gmIxZ5VEhXeRgMQENkmdewthMA0GCSqGSIb3DQEBCwUAA4IBAQBY5Zn+1HTT58xtZQgu1IcN UI9t2PC0ps6sELyN3eCBvqYiqk5D8J58hNl9j0hnht5oM0aKVgTL1GNFu6J9DDd3Bk2sNmG6 8uIvo0NsJAFk23lMzKt+YOm3C6+oveuxICFhHeiTxn9z2jLfU+xYLg8UXpSl5U6m0uZcVoLA YYYhLgpaSM8jNYgAv8U2NVK+f8hd4AVEpwyF2edKbZTAdj/iDmjmOm9lkUIzacemNR8DRxiD Eb2XTZa5pcrsPOe1bisJ5wcHoIx+217fm8WJF7Vk2amB9fg8AM3cGU7V7D2Ynbg5tJdV5Et6 ff+sk9Fv1HRaFDqKQVorlDY1P5h1HsoxMYIDYTCCA10CAQEwbTBdMQswCQYDVQQGEwJCRTEZ MBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xvYmFsU2lnbiBQZXJzb25h bFNpZ24gMiBDQSAtIFNIQTI1NiAtIEczAgw3+zHv3Hdu1YvhZQ8wCQYFKw4DAhoFAKCCAckw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcwODIyMTU1MjQ5 WjAjBgkqhkiG9w0BCQQxFgQUym44RGC5twd0MCGhvtZ+c6i6lGIwbAYJKoZIhvcNAQkPMV8w XTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDB8BgkrBgEEAYI3EAQx bzBtMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQD EypHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAyIENBIC0gU0hBMjU2IC0gRzMCDDf7Me/cd27V i+FlDzB+BgsqhkiG9w0BCRACCzFvoG0wXTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2Jh bFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2JhbFNpZ24gUGVyc29uYWxTaWduIDIgQ0EgLSBT SEEyNTYgLSBHMwIMN/sx79x3btWL4WUPMA0GCSqGSIb3DQEBAQUABIIBALSE7KoW2ToIiSVy 1c5iDEYdk2b/1Xeww7KjsjgTzCjNcYK5ZjMGyJn5TWs7rSoyJXpmClbokgN7Raet+9CzEsk9 jmSDBPRz5zjWoKuqEzSCB2TPnhc26FasbolEB1WDnfkzUaRWDG9qUpaGwtqTRB67h2oqZ1F6 41RyoR1p502+qAC5p4d4iAXOEIPwG35m0bfPqNKdCCWIak/RibZca1b47svyOFSG5U+pmRsH lN5a7SHia2Q/YH9RISwrg2cRWjXjAbjX8J/Lz/ljxzvhUJcYvGortLjU9b8d3PvaJfYOSaNu OPb3c7ssm1F/XZep3fhXpdr31RfFMhYRrxjkNlUAAAAAAAA= --------------ms060704070404020705040608--