Bug#333365: marked as done (kernel-image-2.6.8-2-686-smp: ip6table causes kernel to dropp all ipv6 traffic after a while)

To: Maurice Massar <massar@unix-ag.uni-kl.de>
Subject: Bug#333365: marked as done (kernel-image-2.6.8-2-686-smp: ip6table causes kernel to dropp all ipv6 traffic after a while)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 13 Mar 2006 14:18:13 -0800
Message-id: <E1FIvMj-0006Oh-L6@spohr.debian.org>
References: <20060313213950.GW1167@sushi.unix-ag.uni-kl.de> <E1EPLr2-00072Z-JA@nagios.imp.ch>

Your message dated Mon, 13 Mar 2006 22:39:50 +0100
with message-id <20060313213950.GW1167@sushi.unix-ag.uni-kl.de>
and subject line kernel-image-2.6.8-2-686-smp: ip6table causes kernel to dropp all ipv6 traffic after a while
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-image-2.6.8-2-686-smp: ip6table causes kernel to dropp all ipv6 traffic after a while
From: Benoit Panizzon <bp@imp.ch>
Date: Tue, 11 Oct 2005 17:15:48 +0200
Message-id: <E1EPLr2-00072Z-JA@nagios.imp.ch>

Package: kernel-image-2.6.8-2-686-smp
Version: 2.6.8-16
Severity: important


Hello

Just had a few problems I cannot explain except in a kernel bug:

I would have to secure a box the way it is not accessible from unallowed networks.

So this is my code:

iptables -P INPUT DROP
ip6tables -P INPUT DROP
#-----------------------------------------------
# IPv4 statefull
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 157.161.4.0/24 -j ACCEPT
iptables -A INPUT -p tcp --destination-port http -j ACCEPT
iptables -A INPUT -p tcp --destination-port nsca -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-----------------------------------------------
# IPv6 (not statefull)
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s 2001:4060:1:4133::/64 -j ACCEPT
ip6tables -A INPUT -p tcp --destination-port http -j ACCEPT
ip6tables -A INPUT -p tcp ! --syn -j ACCEPT


After this code everything is fine for about 10 minutes (from within 2001:4060:1:4133::/64). 
And then, suddenly the machine is not reachable via IPv6 anymore.

ip6tables -F and reloading the rules solves the problem for the next 10 minutes or so...

Any idea?

Regards
-Benoit-


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages kernel-image-2.6.8-2-686-smp depends on:
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  initrd-tools                  0.1.81.1   tools to create initrd image for p
ii  module-init-tools             3.2-pre1-2 tools for managing Linux kernel mo

-- no debconf information

--- End Message ---

--- Begin Message ---

To: Benoit Panizzon <bp@imp.ch>
Cc: 333365-close@bugs.debian.org
Subject: Re: kernel-image-2.6.8-2-686-smp: ip6table causes kernel to dropp all ipv6 traffic after a while
From: Maurice Massar <massar@unix-ag.uni-kl.de>
Date: Mon, 13 Mar 2006 22:39:50 +0100
Message-id: <20060313213950.GW1167@sushi.unix-ag.uni-kl.de>
In-reply-to: <E1EPLr2-00072Z-JA@nagios.imp.ch>
References: <E1EPLr2-00072Z-JA@nagios.imp.ch>

hi,

On Tue, Oct 11, 2005 at 05:15:48PM +0200, Benoit Panizzon wrote:
> I would have to secure a box the way it is not accessible from unallowed networks.
> 
> So this is my code:
> 
> iptables -P INPUT DROP
> ip6tables -P INPUT DROP
> #-----------------------------------------------
> # IPv4 statefull
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -s 157.161.4.0/24 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port http -j ACCEPT
> iptables -A INPUT -p tcp --destination-port nsca -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> #-----------------------------------------------
> # IPv6 (not statefull)
> ip6tables -A INPUT -i lo -j ACCEPT
> ip6tables -A INPUT -s 2001:4060:1:4133::/64 -j ACCEPT
> ip6tables -A INPUT -p tcp --destination-port http -j ACCEPT
> ip6tables -A INPUT -p tcp ! --syn -j ACCEPT
> 
> 
> After this code everything is fine for about 10 minutes (from within 2001:4060:1:4133::/64). 
> And then, suddenly the machine is not reachable via IPv6 anymore.
> 
> ip6tables -F and reloading the rules solves the problem for the next 10 minutes or so...

this is not a bug.
ICMP6 is required for Router-Advertisments (so that your host learns a
default route) and for Neighbor-Discovery (IPv6 "ARP" equivalent) at
least. These ICMP6 pakets use Link-Local adresses, so are blocked by
your firewall.

Please note, that ip6tables accepts "-p icmp" but you want "-p icmpv6".
(It is this way at least in sarge).

cu
Maurice Massar

--- End Message ---

Reply to:

Prev by Date: Re: Duplicate flavor builds
Next by Date: initramfs-tools 0.53c MIGRATED to testing
Previous by thread: Re: Duplicate flavor builds
Next by thread: initramfs-tools 0.53c MIGRATED to testing
Index(es):
- Date
- Thread