[140573] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: IPv6 gateway, was: Re: IPv6 foot-dragging

daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri May 13 17:51:36 2011

From: Owen DeLong <owen@delong.com>
In-Reply-To: <4DCDA380.7020407@mompl.net>
Date: Fri, 13 May 2011 14:46:42 -0700
To: Jeroen van Aart <jeroen@mompl.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On May 13, 2011, at 2:32 PM, Jeroen van Aart wrote:

> Jeroen van Aart wrote:
>> -I FORWARD -i eth0 -s 2001:db8::/64 -j ACCEPT
>> -I FORWARD -i eth1 -d 2001:db8::/64 -j ACCEPT
>=20
> Just in case if anyone'd be using it as an example. It's a good idea =
to make your rules more restrictive.
>=20
> Something like:
> -I FORWARD -j DROP
> -I FORWARD -s 2001:db8::/64 -j ACCEPT
> -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>=20

I thought iptables processed rules in order until it found a match. In =
such a case, wouldn't
you want those in the reverse order?

Owen


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[140573] in North American Network Operators' Group

Re: IPv6 gateway, was: Re: IPv6 foot-dragging

daemon@ATHENA.MIT.EDU (Owen DeLong)Fri May 13 17:51:36 2011

daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri May 13 17:51:36 2011