Hi,Everyone,
I have successfully obtain the IPv6 Tunnel and make it works on my server without iptables running.
Client with ipv6 can ping/ssh/browser the server very well.
When I start my iptables , it does't work.Client(have ipv6 address) can't ping or ssh through ipv6.
Can anyone tell me how to configure my iptables to support ipv6 tunnel?
I'm a beginner of iptables , so please write it down in details.
Any help would be appreciated.
Here is my tunnel configuration:
Quote
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 72.52.104.74 local 76.164.***.*** ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f04:10f9::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
Here is my iptables configuration:
Quote
# Generated by iptables-save v1.3.5 on Wed Sep 1 22:40:31 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [575:379396]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 72.52.104.74 -p ipv6 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -o heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 50000:50100 -j ACCEPT
COMMIT
# Completed on Wed Sep 1 22:40:31 2010
Can anyone tell me how to configure my iptables to support ipv6 tunnel?
I'm a beginner of iptables , so please write it down in details.
Thank you very much !
Just add the following lines , it works.
-A RH-Firewall-1-INPUT -p 41 -j ACCEPT
Is it ok?
Is it safe?
Thanks a lot.
I would be much more concerned with the rules:
-A RH-Firewall-1-INPUT -i heipv6 -j ACCEPT
-A RH-Firewall-1-INPUT -o heipv6 -j ACCEPT
As those allow any ipv4 traffic at all, to come in and out of your tunnel. Now he probably won't pass ipv4 over the tunnel, but a network misconfig or something, and your whole network is exposed directly to the internet bypassing your firewall.
But, as for the -p 41 line, it has the same *safeness* as any of the following rules
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 50000:50100 -j ACCEPT
Are you behind a router, or is your system directly connected to the Internet? Since you are using tunneling for your IPv6, I'm guessing that you're behind a router (or NAT'ed): in that case, I wouldn't worry to much about the IPv4 iptables and stick to ip6tables for filtering.
This is my ip6tables configuration:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i ip6tun -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -i ip6tun -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -j ACCEPT
And my iptables configuration:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Hi, everyone.
When setting up tunnel I have a problem.
Ping my local ipv6 address 2001:470:xxx:xxx::2/64 is ok.
PING 2001:470:xxxx:xxx::2(2001:470:xxxx:xxx::2) 56 data bytes
64 bytes from 2001:470:xxxx:xxx::2: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 2001:470:xxxx:xxx::2: icmp_seq=2 ttl=64 time=0.040 ms
But no gateway ping. So the tunnel is not working
My network interface eth0 configured with two addresses. First is internal provider address, i go out with him on the Internet. Second address is external.
auto eth0
iface eth0 inet static
address 192.168.1.57
netmask 255.255.0.0
gateway 192.168.1.1
up ip a a 178.93.25.89/24 dev eth0
iptables rules: (default policy: drop)
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.57
$IPT -A INPUT -p 41 -d 178.93.25.89 -s 216.66.86.114 -j ACCEPT
$IPT -A OUTPUT -p 41 -d 216.66.86.114 -s 178.93.25.89 -j ACCEPT
ip6tables default policy to INPUT and OUTPUT is ACCEPT
lsmod:
ip6_tunnel 10518 0
tunnel6 1872 1 ip6_tunnel
ip6table_mangle 3103 0
ip6table_filter 2384 1
ip6_tables 15107 2 ip6table_mangle,ip6table_filter
x_tables 12845 9 ipt_ULOG,ip6_tables,xt_connlimit,xt_HL,xt_iprange,xt_conntrack,xt_tcpudp,iptable_nat,ip_tables
route:
178.93.25.0 * 255.255.255.0 U 0 0 0 eth0
localnet * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
ip -6 route ls
2001:470:xxxx:xxx::/64 via :: dev he-ipv6 proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295
fe80::/64 via :: dev he-ipv6 proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295
ifconfig:
he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:xxxx:xxx::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:8645 (8.4 KiB)
he-ipv6 interface config
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
address 2001:470:xxxx:xxx::2
netmask 64
gateway 2001:470:xxxx:xxx::1
dns-nameservers 2001:470:20::2 74.82.42.42
endpoint 216.66.86.114
local 178.93.25.89
ttl 255
OS: Debian stable
I think the problem in the iptables rules but I do not know where.
Endpoint connect to my external address?
Connection tcp?