[135576] in North American Network Operators' Group
Re: Ipv6 for the content provider
daemon@ATHENA.MIT.EDU (Antonio Querubin)
Wed Jan 26 18:05:54 2011
Date: Wed, 26 Jan 2011 13:05:50 -1000 (HST)
From: Antonio Querubin <tony@lava.net>
To: Randy McAnally <rsm@fast-serv.com>
In-Reply-To: <20110126214802.M82382@fast-serv.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 26 Jan 2011, Randy McAnally wrote:
> The only issue I've faced is RHEL/CentOS doesn't have stateful connection
> tracking for IPv6 - so ip6tables is practically worthless.
As long as you're willing to run your iptables through a modification
filter to generate the corresponding ip6tables you should be ok. The
following sed script might come in handy.
s/-p icmp --icmp-type any/-p icmpv6/
/-m state --state ESTABLISHED,RELATED/ {
s/-m state --state ESTABLISHED,RELATED/-p udp -m udp --dport 32768:61000/p
s/udp/tcp/g
s/61000/61000 ! --syn/
}
s/-m state --state NEW //
s/224.0.0.251/ff02::fb/
s/icmp-host-prohibited/icmp6-adm-prohibited/
Modify as needed. YMMV.
Antonio Querubin
e-mail/xmpp: tony@lava.net
