Hi,
I'm currently facing a rather strange problem.
I did order a dedicated server at a hosting company.
This server is provided with ipv4 and ipv6 connectivity.
The default ipv6 gateway is given through radvd (from what i've seen in
tcpdump logs):
21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes: ICMP6,
router advertisement, length 64
default via fe80::215:2cff:fe6e:b000 dev eth0 proto kernel metric 1024
expires 1797sec mtu 1500 advmss 1440 hoplimit 64
If I start shorewall, this default route immediately disappears thus
preventing any ipv6 communication.
I think my setup might block ipv6 router advertisment messages.
$ shorewall6 dump (attached file)
To get connectivity again I have to disable shorewall6 and restart the box.
Thanks for your help.
Shorewall6 4.2.10 Dump at monika - jeudi 23 juillet 2009, 21:15:26 (UTC+0200)
Shorewall-perl 4.2.10.1
Counters reset jeudi 23 juillet 2009, 21:14:01 (UTC+0200)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20 2080 dynamic all * * ::/0 ::/0
state INVALID,NEW
20 2080 ext2fw all eth0 * ::/0 ::/0
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
state RELATED,ESTABLISHED
0 0 Drop all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 dynamic all * * ::/0 ::/0
state INVALID,NEW
0 0 ACCEPT all * * ::/0 ::/0
state RELATED,ESTABLISHED
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all * * ::/0 ::/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 fw2ext all * eth0 ::/0 ::/0
0 0 ACCEPT all * lo ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
state RELATED,ESTABLISHED
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all * * ::/0 ::/0
[goto]
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 1 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 2 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 3 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 4 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 133 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 134 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 135 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 136 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 137 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 141 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 142 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 130 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 131 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 132 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 143 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 148 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 149 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 151 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 152 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 153 /* Needed ICMP types (RFC4890) */
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp * * ::/0 ::/0
tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0 ::/0
0 0 dropInvalid all * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
multiport dports 135,445 /* SMB */
0 0 DROP udp * * ::/0 ::/0
udp dpts:137:139 /* SMB */
0 0 DROP udp * * ::/0 ::/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp * * ::/0 ::/0
multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
udp spt:53 /* Late DNS Replies */
Chain Reject (3 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp * * ::/0 ::/0
tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0 ::/0
0 0 dropInvalid all * * ::/0 ::/0
0 0 reject udp * * ::/0 ::/0
multiport dports 135,445 /* SMB */
0 0 reject udp * * ::/0 ::/0
udp dpts:137:139 /* SMB */
0 0 reject udp * * ::/0 ::/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp * * ::/0 ::/0
multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
udp spt:53 /* Late DNS Replies */
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp * * ::/0 ::/0
tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 tcpflags tcp * * ::/0 ::/0
Chain ext2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp * * ::/0 ::/0
udp dpts:546:547
0 0 tcpflags tcp * * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 128 /* Ping */
0 0 ACCEPT tcp * * ::/0 ::/0
tcp dpt:80 /* HTTP */
20 2080 ACCEPT all * * fe80::215:2cff:fe6e:b000/128
::/0
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:ext2fw:REJECT:'
0 0 reject all * * ::/0 ::/0
[goto]
Chain fw2ext (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp * * ::/0 ::/0
udp dpts:546:547
0 0 ACCEPT all * * ::/0 ::/0
state RELATED,ESTABLISHED
0 0 ACCEPT all * * ::/0 ::/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0
LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP all * * ::/0 ::/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all * * ::/0 ::/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0
2a01:e0b:1:73::/128
0 0 DROP all * * ::/0
2a01:e0b:1:73:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ff00::/10 ::/0
0 0 DROP 2 * * ::/0 ::/0
0 0 REJECT tcp * * ::/0 ::/0
reject-with tcp-reset
0 0 REJECT all * * ::/0 ::/0
reject-with icmp6-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * 2a01:e0b:1:73::/128 ::/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all * * 2a01:e0b:1:73::/128 ::/0
0 0 LOG all * *
2a01:e0b:1:73:ffff:ffff:ffff:ff80/121 ::/0 LOG flags 0 level 6
prefix `Shorewall:smurfs:DROP:'
0 0 DROP all * *
2a01:e0b:1:73:ffff:ffff:ffff:ff80/121 ::/0
Chain tcpflags (2 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp * * ::/0 ::/0
tcp flags:0x3F/0x29
0 0 logflags tcp * * ::/0 ::/0
tcp flags:0x3F/0x00
0 0 logflags tcp * * ::/0 ::/0
tcp flags:0x06/0x06
0 0 logflags tcp * * ::/0 ::/0
tcp flags:0x03/0x03
0 0 logflags tcp * * ::/0 ::/0
tcp spt:0 flags:0x17/0x02
Log (/var/log/messages)
Mangle Table
Chain PREROUTING (policy ACCEPT 55 packets, 4600 bytes)
pkts bytes target prot opt in out source destination
55 4600 tcpre all * * ::/0 ::/0
Chain INPUT (policy ACCEPT 20 packets, 2080 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcfor all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcout all * * ::/0 ::/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcpost all * * ::/0 ::/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 55 packets, 4600 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Conntrack Table
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2a01:e0b:1:73:2e0:f4ff:fe19:e733/64 scope global dynamic
valid_lft 2591488sec preferred_lft 604288sec
inet6 fe80::2e0:f4ff:fe19:e733/64 scope link
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
764767 3683 0 0 0 0
TX: bytes packets errors dropped carrier collsns
764767 3683 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:e0:f4:19:e7:33 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
858854 10805 0 0 0 0
TX: bytes packets errors dropped carrier collsns
816660 9015 0 0 0 0
/proc
/proc/version = Linux version 2.6.26-1-amd64 (Debian 2.6.26-13)
([email protected]) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-24))
#1 SMP Sat Jan 10 17:57:00 UTC 2009
/proc/sys/net/ipv6/conf/all/forwarding = 1
/proc/sys/net/ipv6/conf/all/proxy_ndp = 0
/proc/sys/net/ipv6/conf/default/forwarding = 1
/proc/sys/net/ipv6/conf/default/proxy_ndp = 0
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/eth0/proxy_ndp = 0
/proc/sys/net/ipv6/conf/lo/forwarding = 1
/proc/sys/net/ipv6/conf/lo/proxy_ndp = 0
Routing Rules
0: from all lookup local
32766: from all lookup main
Table local:
local ::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 hoplimit
4294967295
local 2a01:e0b:1:73:: via :: dev lo proto none metric 0 mtu 16436 advmss
16376 hoplimit 4294967295
local 2a01:e0b:1:73:2e0:f4ff:fe19:e733 via :: dev lo proto none metric 0 mtu
16436 advmss 16376 hoplimit 4294967295
local fe80:: via :: dev lo proto none metric 0 mtu 16436 advmss 16376
hoplimit 4294967295
local fe80::2e0:f4ff:fe19:e733 via :: dev lo proto none metric 0 mtu 16436
advmss 16376 hoplimit 4294967295
ff02::1 via ff02::1 dev eth0 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff02::1:ff3e:5bdc via ff02::1:ff3e:5bdc dev eth0 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff02::1:ffbf:cee via ff02::1:ffbf:cee dev eth0 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
Table main:
2a01:e0b:1:73::/64 dev eth0 proto kernel metric 256 expires 2591649sec mtu
1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
Neighbors
Modules
ip6_queue 12184 0
ip6table_filter 7296 1
ip6table_mangle 7168 1
ip6table_raw 6528 0
ip6_tables 23056 4
ip6t_LOG,ip6table_raw,ip6table_mangle,ip6table_filter
ip6t_LOG 10372 7
ip6t_REJECT 8320 2
nf_conntrack 71440 33
nf_conntrack_ipv6,nf_conntrack_proto_udplite,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 8832 1 nf_nat_amanda
nf_conntrack_ftp 12728 1 nf_nat_ftp
nf_conntrack_h323 57040 1 nf_nat_h323
nf_conntrack_ipv4 19352 13 iptable_nat,nf_nat
nf_conntrack_ipv6 19048 8
nf_conntrack_irc 10680 1 nf_nat_irc
nf_conntrack_netbios_ns 7040 0
nf_conntrack_netlink 20608 0
nf_conntrack_pptp 10756 1 nf_nat_pptp
nf_conntrack_proto_gre 9472 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 12428 0
nf_conntrack_proto_udplite 8716 0
nf_conntrack_sane 9764 0
nf_conntrack_sip 23972 1 nf_nat_sip
nf_conntrack_tftp 9748 1 nf_nat_tftp
nf_nat 23192 13
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda 6400 0
nf_nat_ftp 7296 0
nf_nat_h323 11008 0
nf_nat_irc 6656 0
nf_nat_pptp 7552 0
nf_nat_proto_gre 6916 1 nf_nat_pptp
nf_nat_sip 10752 0
nf_nat_snmp_basic 14088 0
nf_nat_tftp 6016 0
x_tables 25224 50
ip6t_LOG,ip6t_REJECT,xt_sctp,ip6_tables,xt_TCPMSS,xt_time,xt_connlimit,xt_realm,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables
xt_CLASSIFY 6272 0
xt_comment 6272 60
xt_connlimit 8456 0
xt_connmark 7424 0
xt_CONNMARK 8064 0
xt_conntrack 8704 0
xt_dccp 7312 0
xt_dscp 7168 0
xt_DSCP 7808 0
xt_hashlimit 15648 0
xt_helper 6784 0
xt_iprange 6912 0
xt_length 6400 0
xt_limit 7172 0
xt_mac 6272 0
xt_mark 6912 0
xt_MARK 7552 0
xt_multiport 7424 8
xt_NFLOG 6400 0
xt_NFQUEUE 6400 0
xt_owner 7296 0
xt_physdev 6928 0
xt_pkttype 6272 0
xt_policy 7424 0
xt_realm 6016 0
xt_sctp 7168 0
xt_state 6656 18
xt_tcpmss 6656 0
xt_TCPMSS 8448 1
xt_tcpudp 7680 47
xt_time 7168 0
Shorewall6 has detected the following ip6tables/netfilter capabilities:
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Old Connection Tracking Match Syntax: Not available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Not available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Not available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Not available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
