IPv6 in rawhide

Jay Cliburn jacliburn at bellsouth.net
Sun Jul 30 18:41:27 UTC 2006 

Jay Cliburn wrote:
> Before I go much further in investigating this, I'd like to ask if 
> anyone has successfully used IPv6 under rawhide?
> 
> I can ssh over IPv6 between FC5 and Centos 4.3 boxes, but any attempt to 
> ssh using v6 to or from a rawhide machine doesn't work.  I haven't 
> gotten any details yet, other than an odd packet in an ethereal capture 
> that I executed on an FC4 machine while trying to connect IPv6 from a 
> rawhide machine to the FC4 machine.  The frames shown below represent 
> the TCP 3-way handshake for the session, but the last frame seems to 
> indicate that the ssh client is ACKing a frame it hasn't yet seen.

After a week of tracing IPv6 packets through the kernel, this problem 
turned out to be caused by ip6tables blocking inbound IPv6 packets, 
despite rules to allow such traffic.  (I wasn't even aware ip6tables was 
running, but I can't say for sure I didn't enable it when I installed 
FC6.)  Here's the default rawhide ip6tables file, with a rule I added to 
log dropped packets.

[root at osprey ~]# cat /etc/sysconfig/ip6tables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

And here's what's logged when a remote host tries to initiate an ssh 
session to this host over ipv6.  The SYN packet is dropped.

Jul 30 13:15:31 osprey kernel: IN=eth0 OUT= 
MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd 
SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb 
DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 
FLOWLBL=0 PROTO=TCP SPT=39300 DPT=22 WINDOW=5760 RES=0x00 SYN URGP=0

A similar thing happens when an outbound ssh session is attempted from 
this host.  The SYN-ACK packet from the remote host is dropped.

Jul 30 13:27:10 osprey kernel: IN=eth0 OUT= 
MAC=00:50:8d:ef:90:69:00:b0:d0:82:6d:db:86:dd 
SRC=2001:05c0:8c82:0000:02b0:d0ff:fe82:6ddb 
DST=2001:05c0:8c82:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 
FLOWLBL=0 PROTO=TCP SPT=22 DPT=49029 WINDOW=5712 RES=0x00 ACK SYN URGP=0

According to netfilter.org [1], ip6tables can't do stateful packet 
filtering, so the default rules supplied for FC6 are not correct.  I'd 
BZ this, but there's no ip6tables category in Redhat's bugzilla.

[1] http://www.netfilter.org/
	Main Features
	    * stateless packet filtering (IPv4 and IPv6)
	    * stateful packet filtering (IPv4)

More information about the fedora-test-list mailing list