Just a sample of the Echomail archive
Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.
| IPV6 | The convoluted hot-mess that is IPV6 | 4,612 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 1,633 of 4,612 |
| Tommi Koivula to Markus Reschke |
| "portproxy" in linux |
| 26 Sep 15 18:16:10 |
26 Sep 15 15:57, you wrote to me: TK>> Now I have a problem with the IPv6 firewall. It always blocks the TK>> inbound traffic from the tunnel even if I allowed port 24554 from TK>> the GUI of AsusWRT. From the router the forwarding works, (telnet TK>> 2001:470:27:a::2 24554) . MR> If possible, please enable firewall logging and check the log entries MR> for IPv6 binkp. When you find drop/reject messages for binkp, then the MR> next step is to evaluate the firewall rules. If you're lucky the log MR> entries include the chain's name. That's based on how the rule sets MR> are designed. One log line of dropped inbound binkp: Sep 26 18:33:16 kernel: DROP <4>DROP IN=v6in4 OUT= MAC=00:e6:ba a0:11:11:00:03:fa:56:9b:ac:08:00:45:00:00:5c:cf:d4:40:00:fa:29:c9:6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00 TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:002 :000a:0000:0000:0000:0002 <1>LEN=72 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402) 91.155.99.11 is my routers ipv4 address, 216.66.80.90 is the endpoint of the HE tunnel. 2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to access binkd at 2001:0470:0027:000a:0000:0000:0000:0002 Here's the output of ip6tables-save: === Cut === # Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015 *mangle :PREROUTING ACCEPT [13580:2593451] :INPUT ACCEPT [10638:2352811] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [14587:1570620] :POSTROUTING ACCEPT [14587:1570620] -A PREROUTING -d ff02::1:ff00:0/104 -i vlan2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP -A PREROUTING -d ff02::1:ff00:0/104 -i vlan3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP -A FORWARD -m state --state NEW -j SKIPLOG COMMIT # Completed on Sat Sep 26 18:41:06 2015 # Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [12616:1430065] :PControls - [0:0] :logaccept - [0:0] :logdrop - [0:0] -A INPUT -m rt --rt-type 0 -j logdrop -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -i br0 -m state --state NEW -j ACCEPT -A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT -A INPUT -j logdrop -A FORWARD -m state --state INVALID -j logdrop -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -i br0 -o v6in4 -j ACCEPT -A FORWARD -i br0 -o v6in4 -j ACCEPT -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT -A FORWARD -d 2001:470:27:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT -A FORWARD -d 2001:470:28:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT -A FORWARD -i v6in4 -o br0 -j ACCEPT -A FORWARD -j logdrop -A OUTPUT -m rt --rt-type 0 -j logdrop -A PControls -j ACCEPT -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " -log-tcp-sequence --log-tcp-options --log-ip-options -A logaccept -j ACCEPT -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -j DROP COMMIT # Completed on Sat Sep 26 18:41:06 2015 === Cut === 'Tommi --- * Origin: ====================================== (2:221/1.1) |
(c) 1994, bbs@darkrealms.ca