This shows you the differences between two versions of the page.
— |
ipv6 [2020/06/08 00:44] (current) prppedro created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== IPv6 @ Tadeu' | ||
+ | |||
+ | I don't know if I like IPv6. But IPv4 seems to be on it's way out. Say goodbye to your hard typed addresses and simplicity while creating your simple network between two machines. It's the time for the bigger numbers. On what comes to possible combinations, | ||
+ | |||
+ | ===== Things not to do ===== | ||
+ | |||
+ | My network is horribly configured, mainly due to a lack of adequate equipment. So, I can't really control RA/ | ||
+ | |||
+ | There were a time when I recycled iptables rules from my VPS to use on my desktop. And, all of sudden, IPv6 stopped working. It wasn't even capable of obtaining an address. Turns out there were some obscure ICMP rule blocking things from comunicating with the router and network neighboors. | ||
+ | |||
+ | IPv6 seems to rely **a lot** on ICMP packages[1], | ||
+ | |||
+ | {{ :icmpv6.png |}} | ||
+ | |||
+ | I had a rather complicated line that worked on my VPS, but didn't work on my desktop: | ||
+ | < | ||
+ | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Basically speaking, it allowed for ICPM type 128, i.e. "echo request" | ||
+ | |||
+ | So, I rewrote it to: | ||
+ | < | ||
+ | -A INPUT -p ipv6-icmp -m limit --limit 6/sec --limit-burst 6 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Then it worked. I do not know if it's an ideal situation, because it's still limiting ICMP/s. Maybe I should not limit it. Let's see... | ||
+ | |||
+ | At last, my rules.v6 (I'm using '' | ||
+ | < | ||
+ | # Generated by ip6tables-save v1.6.0 on Sat Jun 23 23:44:27 2018 | ||
+ | *raw | ||
+ | :PREROUTING ACCEPT [983416: | ||
+ | :OUTPUT ACCEPT [1016721: | ||
+ | COMMIT | ||
+ | *filter | ||
+ | :INPUT DROP [0:0] | ||
+ | :FORWARD DROP [0:0] | ||
+ | :OUTPUT ACCEPT [304:43786] | ||
+ | :TCP - [0:0] | ||
+ | :UDP - [0:0] | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -m conntrack --ctstate INVALID -j DROP | ||
+ | -A INPUT -p ipv6-icmp -m limit --limit 6/sec --limit-burst 6 -j ACCEPT | ||
+ | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | ||
+ | -A INPUT -p tcp -m tcp --tcp-flags FIN, | ||
+ | -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable | ||
+ | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A INPUT -j REJECT --reject-with icmp6-reject-route | ||
+ | -A TCP -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | -A TCP -p tcp -m tcp --dport 80 -j ACCEPT | ||
+ | -A TCP -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | COMMIT | ||
+ | # Completed on Sat Jun 23 23:44:27 2018 | ||
+ | # Generated by ip6tables-save v1.6.0 on Sat Jun 23 23:44:27 2018 | ||
+ | *mangle | ||
+ | :PREROUTING ACCEPT [983416: | ||
+ | :INPUT ACCEPT [983416: | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [1016722: | ||
+ | : | ||
+ | COMMIT | ||
+ | </ | ||
+ | |||
+ | ===== References ====== | ||
+ | |||
+ | - https:// | ||
+ | - https:// | ||
+ | |||
+ | |||
+ | |||