(Debian 2.6.32-45) problems using ipv6/ip6tables #2

["gustav@spllg.de" <gustav@spllg.de>]

hi,

i'm new to ipv6, just trying to go the first steps and got trapped.

my configuration:

testmachine with 2 network interfaces (eth0 local, eth1 connected to our
internet router)

Linux version 2.6.32-5-686 (Debian 2.6.32-45) (dannf@debian.org) (gcc
version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Sun May 6 04:01:19 UTC 2012

ipv6-conf-script -

#ipv6
ARG="$1"

case "$ARG" in
start)
  cmd="add"
  ;;

stop)
  cmd="del"
  ;;

*)
  echo "Usage: $0 { start | stop }"
  exit 1
  ;;
esac


ip -6 addr $cmd 2001:1438:2000::17:17:127/48 dev eth1
ip -6 route $cmd ::/0 via 2001:1438:2000::1

after executing ipv6 start i can ping6 our internet router
(2001:1438:2000::1) and ipv6-addresses in the outside world such as
ipv6.google.com and www.nasa.gov

 

now i  created a minimal firewall configuration -

#ipv6firewall
INE_IFACE="eth1"
LAN_IFACE="eth0"

IPT=/sbin/ip6tables


case "$1" in
  stop)
# policy: accept anthing
      ${IPT} -P INPUT     ACCEPT
      ${IPT} -P OUTPUT    ACCEPT
      ${IPT} -P FORWARD   ACCEPT
      ${IPT} -F
    ;;
  start)
# policy: deny anthing
      ${IPT} -P INPUT     DROP
      ${IPT} -P OUTPUT    DROP
      ${IPT} -P FORWARD   DROP

      ${IPT} -A INPUT  -i ${INE_IFACE} -m state --state
ESTABLISHED,RELATED -j ACCEPT
      ${IPT} -A OUTPUT -o
${INE_IFACE}                                      -j ACCEPT

      ${IPT} -A OUTPUT -o ${LAN_IFACE} -m state --state
ESTABLISHED,RELATED -j ACCEPT
      ${IPT} -A INPUT  -i
${LAN_IFACE}                                      -j ACCEPT

      ${IPT} -A INPUT  -i ${INE_IFACE} -j LOG --log-prefix "INE_IN"
    ;;
  status)
    ${IPT} -L -v
    ;;
  *)
    echo $"Usage: $0 {start|stop|status"
    ;;
esac

after executing ipv6firewall i can no ping6 the outside world for an
extended time period, not even our internet-router - some ping6-replies
are recieved and than ping6 stalls:

 ping6 v6gate.softing.com
PING v6gate.softing.com(2001:1438:2000::1) 56 data bytes
64 bytes from 2001:1438:2000::1: icmp_seq=1 ttl=64 time=0.841 ms
64 bytes from 2001:1438:2000::1: icmp_seq=2 ttl=64 time=0.845 ms
64 bytes from 2001:1438:2000::1: icmp_seq=3 ttl=64 time=0.789 ms
64 bytes from 2001:1438:2000::1: icmp_seq=4 ttl=64 time=0.831 ms
4 bytes from 2001:1438:2000::1: icmp_seq=5 ttl=64 time=0.727 ms
64 bytes from 2001:1438:2000::1: icmp_seq=6 ttl=64 time=0.745 ms
64 bytes from 2001:1438:2000::1: icmp_seq=7 ttl=64 time=0.771 ms
64 bytes from 2001:1438:2000::1: icmp_seq=8 ttl=64 time=0.915 ms
64 bytes from 2001:1438:2000::1: icmp_seq=9 ttl=64 time=0.784 ms
64 bytes from 2001:1438:2000::1: icmp_seq=10 ttl=64 time=0.798 ms
64 bytes from 2001:1438:2000::1: icmp_seq=11 ttl=64 time=0.824 ms
64 bytes from 2001:1438:2000::1: icmp_seq=12 ttl=64 time=0.839 ms
64 bytes from 2001:1438:2000::1: icmp_seq=13 ttl=64 time=0.816 ms
64 bytes from 2001:1438:2000::1: icmp_seq=14 ttl=64 time=0.832 ms
64 bytes from 2001:1438:2000::1: icmp_seq=15 ttl=64 time=0.728 ms
64 bytes from 2001:1438:2000::1: icmp_seq=16 ttl=64 time=0.713 ms
64 bytes from 2001:1438:2000::1: icmp_seq=17 ttl=64 time=0.831 ms
64 bytes from 2001:1438:2000::1: icmp_seq=18 ttl=64 time=0.839 ms
64 bytes from 2001:1438:2000::1: icmp_seq=19 ttl=64 time=0.840 ms
64 bytes from 2001:1438:2000::1: icmp_seq=20 ttl=64 time=7.48 ms
64 bytes from 2001:1438:2000::1: icmp_seq=21 ttl=64 time=0.773 ms
64 bytes from 2001:1438:2000::1: icmp_seq=22 ttl=64 time=0.811 ms
64 bytes from 2001:1438:2000::1: icmp_seq=23 ttl=64 time=0.837 ms
64 bytes from 2001:1438:2000::1: icmp_seq=24 ttl=64 time=0.717 ms
64 bytes from 2001:1438:2000::1: icmp_seq=25 ttl=64 time=0.842 ms
64 bytes from 2001:1438:2000::1: icmp_seq=26 ttl=64 time=0.808 ms
64 bytes from 2001:1438:2000::1: icmp_seq=27 ttl=64 time=0.714 ms
64 bytes from 2001:1438:2000::1: icmp_seq=28 ttl=64 time=0.760 ms
64 bytes from 2001:1438:2000::1: icmp_seq=29 ttl=64 time=0.834 ms
64 bytes from 2001:1438:2000::1: icmp_seq=30 ttl=64 time=0.806 ms
64 bytes from 2001:1438:2000::1: icmp_seq=31 ttl=64 time=0.826 ms
64 bytes from 2001:1438:2000::1: icmp_seq=32 ttl=64 time=0.838 ms
64 bytes from 2001:1438:2000::1: icmp_seq=33 ttl=64 time=2.33 ms
64 bytes from 2001:1438:2000::1: icmp_seq=34 ttl=64 time=0.808 ms
64 bytes from 2001:1438:2000::1: icmp_seq=35 ttl=64 time=0.754 ms
64 bytes from 2001:1438:2000::1: icmp_seq=36 ttl=64 time=0.712 ms
64 bytes from 2001:1438:2000::1: icmp_seq=37 ttl=64 time=0.751 ms
64 bytes from 2001:1438:2000::1: icmp_seq=38 ttl=64 time=1.42 ms
64 bytes from 2001:1438:2000::1: icmp_seq=39 ttl=64 time=0.801 ms
64 bytes from 2001:1438:2000::1: icmp_seq=40 ttl=64 time=0.773 ms
64 bytes from 2001:1438:2000::1: icmp_seq=71 ttl=64 time=1011 ms
-- no more replies not even after minutes

 

ip6tables -L -v displays
Chain INPUT (policy DROP 702 packets, 50520 bytes)
 pkts bytes target     prot opt in     out     source
destination
   41  4264 ACCEPT     all      eth1   any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all      eth0   any     anywhere             anywhere
  702 50520 LOG        all      eth1   any     anywhere
anywhere            LOG level warning prefix `INE_IN'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy DROP 477 packets, 72504 bytes)
 pkts bytes target     prot opt in     out     source
destination
 1032 91904 ACCEPT     all      any    eth1    anywhere             anywhere
    0     0 ACCEPT     all      any    eth0    anywhere
anywhere            state RELATED,ESTABLISHED

and i find lots of lines like

May 16 10:49:43 v6t kernel: [62728.400034] INE_ININ=eth1 OUT=
MAC=00:1d:7e:01:28:2c:2c:36:f8:31:44:41:86:dd
SRC=""
DST=2001:1438:2000:0000:0000:0017:0017:0127 LEN=72 TC=224 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0

in /var/log/messages

can anybode please advise me how to fix this issue?

thanks in advace and regards, gustav

 

ps: sorry if this is a double post but i feel, that my first post (from sp@softing.com) did not reach it's destibation