• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IP6Tables on a CentOS "Router" not Blocking

Started by jasonvp, December 24, 2014, 09:53:15 AM

Previous topic - Next topic


Hey gang -

This might be better posted on the CentOS forums, and if folks think so, I'll look there for help.  But here's my challenge: I have a CentOS 6.5 box acting as my gateway.  The HE tunnel is terminated there, and all IPv4 and v6 traffic into and out of my premises flows through it.

Recently, I've been trying to tighten up the IPv6 filter on it.  I have what's essentially a public VLAN and a couple of private ones.  I want the public VLAN to be able to route out to the IntardWebz without any blockages.  But I need to drop anything from that public VLAN destined to my private VLANs.  Think: DMZ.

The interesting lines from an ip6tables -L with comments added, and specific IPv6 addresses removed:

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp      ::/0                 ::/0                tcp flags:!0x17/0x02    # allow EST packets
ACCEPT     all      <Private VLAN1>::/64  ::/0      # Allow private VLAN1 to go anywhere
ACCEPT     all      <Private VLAN2>::/64  ::/0      # Allow private VLAN2 to go anywhere
ACCEPT     all      <My entire>::/48  !<Private VLAN1>::/64  # Allow entire /48 to go anywhere except private VLAN 1
ACCEPT     all      <My entire>::/48  !<Private VLAN2>::/64  # Allow entire /48 to go anywhere except private VLAN 2

In looking through that now, I can see that the last line will never actually get executed, because the second to last one will get read first.  But: basically the challenge is that the second to last line isn't filtering public VLAN --> private VLAN1.  I can, for instance, ssh from the public VLAN to machines on private VLAN1 and that's not what I want to have happen.

The default FORWARDING rule is to drop, so that should cover it.  Shouldn't it?  It works with the IPv4 tables exactly as I'd expect.  The public VLAN can route to the private VLANs, but it gets filtered and blocked appropriately.

Any ideas?  Yes, I know I can accomplish this on the specific private servers by blocking incoming on the various services or by using their own IP6tables.  But I'd like to stop it at the router level...