Re: Bug#612714: netfilter: fails to match state of IPv6 connections
Den 10. feb. 2011 08:04, skrev Nejc Škoberne:
I tested this only by filtering bridged traffic.
5. The IPv6 packets, which should be forwarded are now dropped.
ICMP ping packets matches RELATED-state, other ICMP-types might not
match states.
In this example, eth0 can be considered as Internet and eth1 as LAN.
Allow all connections from eth1 to other interfaces:
-A FORWARD -m physdev --physdev-in eth1 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
Use this to allow all ICMPv6-packets from eth1 to other interfaces, this
includes :
-A FORWARD -p ipv6-icmp -m physdev --physdev-in eth1 -j ACCEPT
Use this command to allow only related and established connections from
eth0 to other interfaces:
-A FORWARD -m physdev --physdev-in eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
Use this to allow Neighbour advertisement/solicitaiton (type 136/135)
(ARP in IPv4) from eth0 to other interfaces.
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 136 -j ACCEPT
-A FORWARD -m physdev --physdev-in eth0 -p ipv6-icmp -m icmpv6
--icmpv6-type 135 -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP
List of ICMPv6 types on Wikipedia: http://en.wikipedia.org/wiki/ICMPv6
Atle.
Reply to: