Mathew
12/05/10, 11:58
Bij het testen van mijn IPv6 toegang op mijn vps kom ik tot de volgende problemen.
Wat werkt / niet werkt :
1. Ik kan pingen naar externe IPv6 adressen.
2. Externe IPv6 adressen kunnen mij pingen.
3. Ik kan geen traceroute6 uitvoeren naar een IPv6
4. Ik kan geen SSH connectie / IRC connectie / Web connectie opzetten vanaf de VPS.
5. Ik kan geen SSH connectie / Web connectie opzetten vanaf thuis naar mijn VPS.
Waar jullie zeker interesse in hebben :
IPv6 adres 1 : inet6 addr: 2a00:dd0:0:7:dc85:82ff:fea1:7ea1/64 Scope:Global
IPv6 adres 2 : inet6 addr: 2a00:dd0:0:6:dc85:82ff:fea1:7ea1/64 Scope:Global
#ip6tables -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo any anywhere anywhere
0 0 ACCEPT all eth0 any anywhere anywhere state RELATED,ESTABLISHED
20 1760 ACCEPT ipv6-icmp eth0 any anywhere anywhere
0 0 ACCEPT tcp eth0 any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp eth0 any anywhere anywhere tcp dpt:22
0 0 LOG all eth0 any anywhere anywhere LOG level warning
0 0 DROP all eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 3 packets, 232 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all any lo anywhere anywhere
0 0 ACCEPT all any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
19 1472 ACCEPT ipv6-icmp any eth0 anywhere anywhere
#cat /etc/init.d/ipv6tablesfw
#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="eth0"
echo "Starting IPv6 firewall..."
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
############# add your custom rules below ############
### open IPv6 port 80
$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 80 -j ACCEPT
### open IPv6 port 4001
$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT
### open IPv6 port 25
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 25 -j ACCEPT
############ End custome rules ################
#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP
#route
Destination Gateway Genmask Flags Metric Ref Use Iface
193.x.x.0 * 255.255.255.0 U 0 0 0 eth0
193.x.x.0 * 255.255.255.0 U 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
#routel
target gateway source proto scope dev tbl
193.x.x.0 24 link eth0
193.x.x.0 24 193.x.x.246 kernel link eth0
default 193.x.x.1 193.x.x.145 eth0
default 193.x.x.1 193.x.x.247 eth0
default 193.x.x.1 eth0
127.255.255.255 broadcast 127.0.0.1 kernel link lo 255
193.x.x.255 broadcast 193.x.x.246 kernel link eth0 255
193.x.x.247 local 193.x.x.246 kernel host eth0 255
193.x.x.246 local 193.x.x.246 kernel host eth0 255
127.0.0.0 broadcast 127.0.0.1 kernel link lo 255
193.x.x.145 local 193.x.x.246 kernel host eth0 255
127.0.0.1 local 127.0.0.1 kernel host lo 255
127.0.0.0 8 local 127.0.0.1 kernel host lo 255
::1 :: none lo
2a00:x:x:x:dc85:82ff:fea1:7ea1 :: none lo
2a00:x:x:x:: 64 kernel eth0
2a00:x:x:x:dc85:82ff:fea1:7ea1 :: none lo
2a00:x:x:x:: 64 kernel eth0
fe80::dc85:82ff:fea1:7ea1 :: none lo
fe80:: 64 eth0
ff02::fb ff02::fb eth0
cache
ff00:: 8 eth0
default fe80::20c:dbff:fe26:41c0 kernel eth0
default unreachable none lo
Wat werkt / niet werkt :
1. Ik kan pingen naar externe IPv6 adressen.
2. Externe IPv6 adressen kunnen mij pingen.
3. Ik kan geen traceroute6 uitvoeren naar een IPv6
4. Ik kan geen SSH connectie / IRC connectie / Web connectie opzetten vanaf de VPS.
5. Ik kan geen SSH connectie / Web connectie opzetten vanaf thuis naar mijn VPS.
Waar jullie zeker interesse in hebben :
IPv6 adres 1 : inet6 addr: 2a00:dd0:0:7:dc85:82ff:fea1:7ea1/64 Scope:Global
IPv6 adres 2 : inet6 addr: 2a00:dd0:0:6:dc85:82ff:fea1:7ea1/64 Scope:Global
#ip6tables -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo any anywhere anywhere
0 0 ACCEPT all eth0 any anywhere anywhere state RELATED,ESTABLISHED
20 1760 ACCEPT ipv6-icmp eth0 any anywhere anywhere
0 0 ACCEPT tcp eth0 any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp eth0 any anywhere anywhere tcp dpt:22
0 0 LOG all eth0 any anywhere anywhere LOG level warning
0 0 DROP all eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 3 packets, 232 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all any lo anywhere anywhere
0 0 ACCEPT all any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
19 1472 ACCEPT ipv6-icmp any eth0 anywhere anywhere
#cat /etc/init.d/ipv6tablesfw
#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="eth0"
echo "Starting IPv6 firewall..."
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
############# add your custom rules below ############
### open IPv6 port 80
$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 80 -j ACCEPT
### open IPv6 port 4001
$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT
### open IPv6 port 25
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 25 -j ACCEPT
############ End custome rules ################
#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP
#route
Destination Gateway Genmask Flags Metric Ref Use Iface
193.x.x.0 * 255.255.255.0 U 0 0 0 eth0
193.x.x.0 * 255.255.255.0 U 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
default gateway.netrout 0.0.0.0 UG 0 0 0 eth0
#routel
target gateway source proto scope dev tbl
193.x.x.0 24 link eth0
193.x.x.0 24 193.x.x.246 kernel link eth0
default 193.x.x.1 193.x.x.145 eth0
default 193.x.x.1 193.x.x.247 eth0
default 193.x.x.1 eth0
127.255.255.255 broadcast 127.0.0.1 kernel link lo 255
193.x.x.255 broadcast 193.x.x.246 kernel link eth0 255
193.x.x.247 local 193.x.x.246 kernel host eth0 255
193.x.x.246 local 193.x.x.246 kernel host eth0 255
127.0.0.0 broadcast 127.0.0.1 kernel link lo 255
193.x.x.145 local 193.x.x.246 kernel host eth0 255
127.0.0.1 local 127.0.0.1 kernel host lo 255
127.0.0.0 8 local 127.0.0.1 kernel host lo 255
::1 :: none lo
2a00:x:x:x:dc85:82ff:fea1:7ea1 :: none lo
2a00:x:x:x:: 64 kernel eth0
2a00:x:x:x:dc85:82ff:fea1:7ea1 :: none lo
2a00:x:x:x:: 64 kernel eth0
fe80::dc85:82ff:fea1:7ea1 :: none lo
fe80:: 64 eth0
ff02::fb ff02::fb eth0
cache
ff00:: 8 eth0
default fe80::20c:dbff:fe26:41c0 kernel eth0
default unreachable none lo