[135999] in North American Network Operators' Group
Re: Ipv6 for the content provider
daemon@ATHENA.MIT.EDU (Antonio Querubin)
Mon Jan 31 14:05:28 2011
Date: Mon, 31 Jan 2011 09:04:42 -1000 (HST)
From: Antonio Querubin <tony@lava.net>
To: Simon Perreault <simon.perreault@viagenie.ca>
In-Reply-To: <4D46F5F2.2090202@viagenie.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 31 Jan 2011, Simon Perreault wrote:
> The command
>
> # ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
>
> works on CentOS 5.5. And there's no documentation for it in "man
> ip6tables". So it fits the backport hypothesis...
While it may accept it, you may find it doesn't really work the way it
should :) I had made the same assumption and discovered various problems.
I ended up replacing it with:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
which is what ip6tables ships with. You may need to adjust that port
range depending on your apps.
Antonio Querubin
e-mail/xmpp: tony@lava.net
