Re: multiple v6 address config
Op zo 06-06-2004, om 23:55 schreef Peter Chubb:
> >>>>> "Dick" == Dick Visser <dick@tienhuis.nl> writes:
>
> Dick> On Sun, 6 Jun 2004, Peter Good wrote:
> >> FYI, I can ping all those addresses fine from here.
> >>
> >> Try ping6 pontius.home.ipv6.net.au and see what result you get.
>
> For what it's worth, I often find that IPv6 connections start out as
> if they were unidirectional --- from one machine, pings go nowhere;
> when another machine pings the first, everything starts working.
>
> : numbat ; ping6 2001:388:c020:2::1
> >From ::1 icmp_seq=1 Destination unreachable: Address unreachable
>
> But then from 2001:388:c020:2::1 :
> : wombat ; ping6 2001:388:c020:2:230:abff:fe12:737d
> PING 2001:388:c020:2:230:abff:fe12:737d(2001:388:c020:2:230:abff:fe12:737d) 56 data bytes
> 64 bytes from 2001:388:c020:2:230:abff:fe12:737d: icmp_seq=1 ttl=64 time=19.2 ms
> 64 bytes from 2001:388:c020:2:230:abff:fe12:737d: icmp_seq=2 ttl=64 time=6.40 ms
>
> And then from 2001:388:c020:2:230:abff:fe12:737d
>
> : numbat ; ping6 2001:388:c020:2::1
> PING 2001:388:c020:2::1(2001:388:c020:2::1) 56 data bytes
> 64 bytes from 2001:388:c020:2::1: icmp_seq=1 ttl=64 time=3.01 ms
... right.
I've seen this too, and it took me a _very_ long while to find the
cause.
The reason is that you have to remember that IPv6 isn't native on the
Internet yet. If you're using a tunnel, it gets tunneled in IPv4
packets, and your firewall has to allow those, also for new connections.
If it doesn't, you'll see that the sensible IPv4 rules on the firewall
block incoming IPv6 packets, and you can't do anything reasonable.
An iptables snippet that does the job for me:
iptables -A INPUT -p 47 -s <IPv4 address of remote tunnel endpoint> -j ACCEPT
iptables -A INPUT -p 41 -s <IPv4 address of remote tunnel endpoint> -j ACCEPT
(these can probably be be merged into one command, but I'm too tired
right now to look it up. Sorry.)
--
EARTH
smog | bricks
AIR -- mud -- FIRE
soda water | tequila
WATER
-- with thanks to fortune
Reply to: