Shorewall users - Jan 2011 - shorewall6 not forwarding across the Kernel

I have a server that I have set up with 2 interfaces, one which has an
IPv4 and IPv6 address (dual stack) connecting to the Internet, the other
also configured dual-stack to a private LAN. The server is running
Shorewall and Shorewall6, configured with minimal restrictions. The server
is able to freely communicate with the Internet using either IPv6 or IPv4
(check IPv6 by going to ipv6.google.com)

The server runs radvd, and a Windows7 client on the private network gets
both an IPv4 and a Global IPv6 address (as well as the usual DHCP-served
IPv4 address). The client can access IPv4 websites on the Internet via the
server (Shorewall is forwarding packets OK). However, the client cannot
access IPv6 sites on the Internet, despite those same sites being
accessible by a browser on the server.

The client can ping the server on its IPv6 private interface but not its
IPv6 public interface. Traceroute from the client to the external IPv6
address shows the route as far as the private IPv6 address, but fails to
get across the kernel to the public IPv6 address.

Routing looks OK, the client has a default IPv6 route to the Server, and
the server has a default static route out through my IPv6 provider.

I conclude from the information above that the server is operating two
dual-stack interfaces correctly, stateless autoconfiguration is working
correctly, and while shorewall is forwarding IPv4 across the kernel,
shorewall6 is not forwarding anything. The Server is running Debian 5.06,
with both Shorewall and Shorewall6 running vers 4.4.11.6

Shorewall6 dump, ip addr show, ip route show and ip -6 route show
 attached below

Any guidance would be much appreciated!

Jim




Bastion6:/etc/shorewall# shorewall6 dump

Shorewall6 4.4.11.6 Dump at Bastion6 - Mon Jan 17 19:50:04 GMT 2011

   Shorewall 4.4.11.6

Counters reset Mon Jan 17 19:16:36 GMT 2011

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
  242 22488 dynamic    all      *      *       ::/0                 ::/0  
             ctstate INVALID,NEW
   47  9937 net2fw     all      eth0   *       ::/0                 ::/0
  221 20664 loc2fw     all      eth1   *       ::/0                 ::/0
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 Reject     all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all      *      *       ::/0                 ::/0  
             [goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    6   424 dynamic    all      *      *       ::/0                 ::/0  
             ctstate INVALID,NEW
    0     0 net2all    all      eth0   eth1    ::/0                 ::/0
    6   424 loc2net    all      eth1   eth0    ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 Reject     all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all      *      *       ::/0                 ::/0  
             [goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
   40  6794 fw2net     all      *      eth0    ::/0                 ::/0
  223 20832 fw2loc     all      *      eth1    ::/0                 ::/0
    0     0 ACCEPT     all      *      lo      ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 Reject     all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all      *      *       ::/0                 ::/0  
             [goto]

Chain AllowICMPs (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 1 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 2 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 3 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 4 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 133 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 134 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 135 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 136 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 137 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 141 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 142 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 130 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 131 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 132 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 143 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 148 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 149 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 151 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 152 /* Needed ICMP types (RFC4890) */
    0     0 ACCEPT     icmpv6    *      *       fe80::/10            ::/0 
              ipv6-icmp type 153 /* Needed ICMP types (RFC4890) */

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 reject     tcp      *      *       ::/0                 ::/0  
             tcp dpt:113 /* Auth */
    0     0 AllowICMPs  icmpv6    *      *       ::/0                 ::/0
    2   176 dropBcast  all      *      *       ::/0                 ::/0
    0     0 dropInvalid  all      *      *       ::/0                 ::/0
    0     0 DROP       udp      *      *       ::/0                 ::/0  
             multiport dports 135,445 /* SMB */
    0     0 DROP       udp      *      *       ::/0                 ::/0  
             udp dpts:137:139 /* SMB */
    0     0 DROP       udp      *      *       ::/0                 ::/0  
             udp spt:137 dpts:1024:65535 /* SMB */
    0     0 DROP       tcp      *      *       ::/0                 ::/0  
             multiport dports 135,139,445 /* SMB */
    0     0 dropNotSyn  tcp      *      *       ::/0                 ::/0
    0     0 DROP       udp      *      *       ::/0                 ::/0  
             udp spt:53 /* Late DNS Replies */

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 reject     tcp      *      *       ::/0                 ::/0  
             tcp dpt:113 /* Auth */
    0     0 AllowICMPs  icmpv6    *      *       ::/0                 ::/0
    2   176 dropBcast  all      *      *       ::/0                 ::/0
    0     0 dropInvalid  all      *      *       ::/0                 ::/0
    0     0 reject     udp      *      *       ::/0                 ::/0  
             multiport dports 135,445 /* SMB */
    0     0 reject     udp      *      *       ::/0                 ::/0  
             udp dpts:137:139 /* SMB */
    0     0 reject     udp      *      *       ::/0                 ::/0  
             udp spt:137 dpts:1024:65535 /* SMB */
    0     0 reject     tcp      *      *       ::/0                 ::/0  
             multiport dports 135,139,445 /* SMB */
    0     0 dropNotSyn  tcp      *      *       ::/0                 ::/0
    0     0 DROP       udp      *      *       ::/0                 ::/0  
             udp spt:53 /* Late DNS Replies */

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    2   176 Reject     all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all      *      *       ::/0                 ::/0  
             [goto]

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all      *      *       ::/0                
2001:470:1f09:ac6::/128
    0     0 DROP       all      *      *       ::/0                
2001:470:1f09:ac6:ffff:ffff:ffff:ff80/121
    0     0 DROP       all      *      *       ::/0                
2001:470:9363::/128
    0     0 DROP       all      *      *       ::/0                
2001:470:9363:0:ffff:ffff:ffff:ff80/121
    4   352 DROP       all      *      *       ::/0                 ff00::/8

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all      *      *       ::/0                 ::/0  
             ctstate INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       tcp      *      *       ::/0                 ::/0  
             tcp flags:!0x17/0x02

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
  221 20656 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    2   176 all2all    all      *      *       ::/0                 ::/0  
             [goto]

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source              
destination
   27  5842 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0  
             udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0  
             tcp dpt:53 /* DNS */
    9   616 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    4   336 ACCEPT     all      *      *       ::/0                 ::/0
    0     0 all2all    all      *      *       ::/0                 ::/0  
             [goto]

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 tcpflags   tcp      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0  
             tcp dpt:22 /* SSH */
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 128 /* Ping */
  221 20664 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    6   424 tcpflags   tcp      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    6   424 ACCEPT     all      *      *       ::/0                 ::/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:''
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 reject     all      *      *       ::/0                 ::/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 tcpflags   tcp      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    2   176 Drop       all      *      *       ::/0                 ::/0
    0     0 LOG        all      *      *       ::/0                 ::/0  
             LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all      *      *       ::/0                 ::/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source              
destination
   26  8113 tcpflags   tcp      *      *       ::/0                 ::/0
   26  8113 ACCEPT     all      *      *       ::/0                 ::/0  
             ctstate RELATED,ESTABLISHED
    0     0 DROP       icmpv6    *      *       ::/0                 ::/0 
              ipv6-icmp type 128 /* Ping */
   19  1648 ACCEPT     icmpv6    *      *       ::/0                 ::/0
    2   176 net2all    all      *      *       ::/0                 ::/0  
             [goto]

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all      *      *       ::/0                
2001:470:1f09:ac6::/128
    0     0 DROP       all      *      *       ::/0                
2001:470:1f09:ac6:ffff:ffff:ffff:ff80/121
    0     0 DROP       all      *      *       ::/0                
2001:470:9363::/128
    0     0 DROP       all      *      *       ::/0                
2001:470:9363:0:ffff:ffff:ffff:ff80/121
    0     0 DROP       all      *      *       ff00::/8             ::/0
    0     0 DROP       2        *      *       ::/0                 ::/0
    0     0 REJECT     tcp      *      *       ::/0                 ::/0  
             reject-with tcp-reset
    0     0 REJECT     udp      *      *       ::/0                 ::/0  
             reject-with icmp6-port-unreachable
    0     0 REJECT     icmpv6    *      *       ::/0                 ::/0 
              reject-with icmp6-addr-unreachable
    0     0 REJECT     all      *      *       ::/0                 ::/0  
             reject-with icmp6-adm-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain tcpflags (4 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 logflags   tcp      *      *       ::/0                 ::/0  
             [goto] tcp flags:0x3F/0x29
    0     0 logflags   tcp      *      *       ::/0                 ::/0  
             [goto] tcp flags:0x3F/0x00
    0     0 logflags   tcp      *      *       ::/0                 ::/0  
             [goto] tcp flags:0x06/0x06
    0     0 logflags   tcp      *      *       ::/0                 ::/0  
             [goto] tcp flags:0x03/0x03
    0     0 logflags   tcp      *      *       ::/0                 ::/0  
             [goto] tcp spt:0 flags:0x17/0x02

Log (/var/log/messages)


Mangle Table

Chain PREROUTING (policy ACCEPT 274 packets, 31025 bytes)
 pkts bytes target     prot opt in     out     source              
destination
  274 31025 tcpre      all      *      *       ::/0                 ::/0

Chain INPUT (policy ACCEPT 268 packets, 30601 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy ACCEPT 6 packets, 424 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    6   424 MARK       all      *      *       ::/0                 ::/0  
             MARK and 0xffffff00
    6   424 tcfor      all      *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 263 packets, 27626 bytes)
 pkts bytes target     prot opt in     out     source              
destination
  263 27626 tcout      all      *      *       ::/0                 ::/0

Chain POSTROUTING (policy ACCEPT 467 packets, 47058 bytes)
 pkts bytes target     prot opt in     out     source              
destination
  467 47058 tcpost     all      *      *       ::/0                 ::/0

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Raw Table

Chain PREROUTING (policy ACCEPT 274 packets, 31025 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 263 packets, 27626 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Conntrack Table (6 out of 32768)


IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:470:1f09:ac6:206:4fff:fe38:fa78/64 scope global dynamic
       valid_lft 2588989sec preferred_lft 601789sec
    inet6 2001:470:1f09:ac6::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::206:4fff:fe38:fa78/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:470:9363::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::214:2aff:fe7f:7a8/64 scope link
       valid_lft forever preferred_lft forever

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    560        8        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    560        8        0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:06:4f:38:fa:78 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    3777714    4367     0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    675482     4570     0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:14:2a:7f:07:a8 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    72846537   1125953  0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    591049690  1160865  0       0       0       0

/proc

   /proc/version = Linux version 2.6.26-2-686 (Debian 2.6.26-26lenny1)
(dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian
4.1.2-25)) #1 SMP Thu Nov 25 01:53:57 UTC 2010
   /proc/sys/net/ipv6/conf/all/forwarding = 1
   /proc/sys/net/ipv6/conf/all/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/default/forwarding = 1
   /proc/sys/net/ipv6/conf/default/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/eth0/forwarding = 1
   /proc/sys/net/ipv6/conf/eth0/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/eth1/forwarding = 1
   /proc/sys/net/ipv6/conf/eth1/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/lo/forwarding = 1
   /proc/sys/net/ipv6/conf/lo/proxy_ndp = 0

Routing Rules

0:	from all lookup local
32766:	from all lookup main

Table local:

local ::1 via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local 2001:470:1f09:ac6:: via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6::2 via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6:206:4fff:fe38:fa78 via :: dev lo  proto none 
metric 0  mtu 16436 advmss 16376 hoplimit 4294967295
local 2001:470:9363:: via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:9363::1 via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local fe80:: via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local fe80:: via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local fe80::206:4fff:fe38:fa78 via :: dev lo  proto none  metric 0  mtu
16436 advmss 16376 hoplimit 4294967295
local fe80::214:2aff:fe7f:7a8 via :: dev lo  proto none  metric 0  mtu
16436 advmss 16376 hoplimit 4294967295
ff02::1 via ff02::1 dev eth1  metric 0
    cache  mtu 1500 advmss 1440 hoplimit 4294967295
ff02::1 via ff02::1 dev eth0  metric 0
    cache  mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295

Table main:

2001:470:1f09:ac6::/64 dev eth0  metric 256  expires 2589149sec mtu 1500
advmss 1440 hoplimit 4294967295
2001:470:9363::/64 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:470:1f09:ac6::1 dev eth0  metric 1  mtu 1500 advmss 1440
hoplimit 4294967295

Neighbors

2001:470:1f09:ac6::1 dev eth0 lladdr 00:21:d8:13:29:2a router STALE

Modules

ip6table_filter         2432  1
ip6table_mangle         2400  1
ip6table_raw            1952  0
ip6_tables             11376  4
ip6t_LOG,ip6table_raw,ip6table_mangle,ip6table_filter
ip6t_LOG                5508  6
ip6t_REJECT             3488  4
nf_conntrack           55540  32
nf_conntrack_ipv6,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda     3808  1 nf_nat_amanda
nf_conntrack_ftp        6852  1 nf_nat_ftp
nf_conntrack_h323      44712  1 nf_nat_h323
nf_conntrack_ipv4      12268  19 iptable_nat,nf_nat
nf_conntrack_ipv6      12084  13
nf_conntrack_irc        5124  1 nf_nat_irc
nf_conntrack_netbios_ns     2368  0
nf_conntrack_netlink    14176  0
nf_conntrack_pptp       5476  1 nf_nat_pptp
nf_conntrack_proto_gre     4416  1 nf_conntrack_pptp
nf_conntrack_proto_sctp     6600  0
nf_conntrack_sane       4348  0
nf_conntrack_sip       16124  1 nf_nat_sip
nf_conntrack_tftp       4180  1 nf_nat_tftp
nf_nat                 15576  13
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda           1824  0
nf_nat_ftp              2528  0
nf_nat_h323             5728  0
nf_nat_irc              2080  0
nf_nat_pptp             2880  0
nf_nat_proto_gre        2212  1 nf_nat_pptp
nf_nat_sip              5440  0
nf_nat_snmp_basic       8296  0
nf_nat_tftp             1568  0
x_tables               13284  48
ip6t_LOG,ip6t_REJECT,ip6_tables,xt_time,xt_connlimit,xt_realm,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,ip_tables
xt_CLASSIFY             1696  0
xt_comment              1664  60
xt_connlimit            3720  0
xt_connmark             2368  0
xt_CONNMARK             2944  0
xt_conntrack            3488  29
xt_dccp                 2696  0
xt_dscp                 2368  0
xt_DSCP                 2944  0
xt_hashlimit            9360  0
xt_helper               2112  0
xt_iprange              2272  0
xt_length               1760  0
xt_limit                2180  0
xt_mac                  1728  0
xt_mark                 1952  0
xt_MARK                 2304  2
xt_multiport            2816  8
xt_NFLOG                1824  0
xt_NFQUEUE              1792  0
xt_owner                2560  0
xt_physdev              2352  0
xt_pkttype              1728  0
xt_policy               2848  0
xt_realm                1536  0
xt_state                2016  0
xt_tcpmss               1984  0
xt_tcpudp               2816  39
xt_time                 2528  0

Shorewall6 has detected the following ip6tables/netfilter capabilities:
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Extended Connection Tracking Match Support: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Not available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Extended MARK Target 2: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Not available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
   Realm Match: Not available
   Helper Match: Available
   Connlimit Match: Available
   Time Match: Available
   Goto Support: Available
   IPMARK Target: Not available
   LOG Target: Available
   TPROXY Target: Not available
   FLOW Classifier: Available
   fwmark route mask: Available

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State 
     PID/Program name
tcp6       0      0 :::5900                 :::*                    LISTEN
     3661/vino-server
tcp6       0      0 ::1:631                 :::*                    LISTEN
     3010/cupsd
tcp6       0    236 192.168.123.1:5900      192.168.123.11:49165   
ESTABLISHED 3661/vino-server
udp6       0      0 :::5353                 :::*                          
     2982/avahi-daemon:
udp6       0      0 :::59134                :::*                          
     2982/avahi-daemon:


Bastion6:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:06:4f:38:fa:78 brd ff:ff:ff:ff:ff:ff
    inet 81.2.96.39/28 brd 81.2.96.47 scope global eth0
    inet6 2001:470:1f09:ac6:206:4fff:fe38:fa78/64 scope global dynamic
       valid_lft 2588806sec preferred_lft 601606sec
    inet6 2001:470:1f09:ac6::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::206:4fff:fe38:fa78/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:14:2a:7f:07:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 brd 192.168.123.255 scope global eth1
    inet6 2001:470:9363::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::214:2aff:fe7f:7a8/64 scope link
       valid_lft forever preferred_lft forever


Bastion6:/etc/shorewall# ip route show
81.2.96.32/28 dev eth0  proto kernel  scope link  src 81.2.96.39
192.168.123.0/24 dev eth1  proto kernel  scope link  src 192.168.123.1
default via 81.2.96.33 dev eth0
Bastion6:/etc/shorewall# ip -6 route show
2001:470:1f09:ac6::/64 dev eth0  metric 256  expires 2588904sec mtu 1500
advmss 1440 hoplimit 4294967295
2001:470:9363::/64 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:470:1f09:ac6::1 dev eth0  metric 1  mtu 1500 advmss 1440
hoplimit 4294967295



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

> 
> Shorewall6 dump, ip addr show, ip route show and ip -6 route show
>  attached below
Please forward privately the output of ''shorewall6 dump'' *as a
compressed attachment*. Your mailer truncated all of the information
that you sent in this post, making it less than useful.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

On 1/17/11 11:58 AM, Jim Blake wrote:
ugh my IPv6 provider.
> 
> I conclude from the information above that the server is operating two
> dual-stack interfaces correctly, stateless autoconfiguration is working
> correctly, and while shorewall is forwarding IPv4 across the kernel,
> shorewall6 is not forwarding anything.

Neither Shorewall6 nor Netfilter6 is responsible for routing. What
Shorewall6 *does* do is set the ipv6 forwarding flags for the interfaces
based on your interfaces file. That is working:
>   /proc/sys/net/ipv6/conf/eth0/forwarding = 1
>   /proc/sys/net/ipv6/conf/eth1/forwarding = 1
Did you set those two flags and test forwarding before you installed
Shorewall6? That should be the only thing needed to enable IPv6
forwarding through your router. If it works without Shorewall6
(shorewall6 clear), then you have a Shorewall6 problem; otherwise, there
is something else going on in your setup.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

On 1/17/11 11:58 AM, Jim Blake wrote:
> 
> Routing looks OK, the client has a default IPv6 route to the Server, and
> the server has a default static route out through my IPv6 provider.
In the unfolded dump you sent to me privately, the routing is not okay;
the ''local'' table is virtually empty. With this local routing
table, ir
is likely that you can''t even ping6 the local IPv6 addresses from the
firewall itself.

Table local:

local ::1 via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
ff00::/8 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295

Curiously, the routing table in the folded dump that you forwarded with
your initial report looked better.

Table local:

local ::1 via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local 2001:470:1f09:ac6:: via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6::2 via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6:206:4fff:fe38:fa78 via :: dev lo  proto none
metric 0  mtu 16436 advmss 16376 hoplimit 4294967295
local 2001:470:9363:: via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:9363::1 via :: dev lo  proto none  metric 0  mtu 16436
advmss 16376 hoplimit 4294967295
local fe80:: via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local fe80:: via :: dev lo  proto none  metric 0  mtu 16436 advmss 16376
hoplimit 4294967295
local fe80::206:4fff:fe38:fa78 via :: dev lo  proto none  metric 0  mtu
16436 advmss 16376 hoplimit 4294967295
local fe80::214:2aff:fe7f:7a8 via :: dev lo  proto none  metric 0  mtu
16436 advmss 16376 hoplimit 4294967295
ff02::1 via ff02::1 dev eth1  metric 0
    cache  mtu 1500 advmss 1440 hoplimit 4294967295
ff02::1 via ff02::1 dev eth0  metric 0
    cache  mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295

I have seen the local routing table get messed up like this but only
when running the Lenny vserver kernel; happens when stopping/starting
vservers. Don''t know how it happens running a stock kernel.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

Just to conclude this thread: Tom, you were right, even with basic
forwarding set by individual commands rather than Shorewall, it didn''t
work. It''s taken me some time and effort (you don''t want to
know the
details, believe me!), but I know a lot more about IPv6 than I did, and I
have a working Dual Stack network now, so thanks for your comments and
help.

Jim


On Mon, January 17, 2011 11:30 pm, Tom Eastep wrote:
> On 1/17/11 11:58 AM, Jim Blake wrote:
> ugh my IPv6 provider.
>>
>> I conclude from the information above that the server is operating two
>> dual-stack interfaces correctly, stateless autoconfiguration is working
>> correctly, and while shorewall is forwarding IPv4 across the kernel,
>> shorewall6 is not forwarding anything.
>
>
> Neither Shorewall6 nor Netfilter6 is responsible for routing. What
> Shorewall6 *does* do is set the ipv6 forwarding flags for the interfaces
> based on your interfaces file. That is working:
>
>>   /proc/sys/net/ipv6/conf/eth0/forwarding = 1
>>   /proc/sys/net/ipv6/conf/eth1/forwarding = 1
>
> Did you set those two flags and test forwarding before you installed
> Shorewall6? That should be the only thing needed to enable IPv6
> forwarding through your router. If it works without Shorewall6
> (shorewall6 clear), then you have a Shorewall6 problem; otherwise, there
> is something else going on in your setup.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
>
http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-- 
Jim Blake
07971 070751
01628 520495


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/1/11 4:04 AM, Jim Blake wrote:
> Just to conclude this thread: Tom, you were right, even with basic
> forwarding set by individual commands rather than Shorewall, it
didn''t
> work. It''s taken me some time and effort (you don''t want
to know the
> details, believe me!), but I know a lot more about IPv6 than I did, and I
> have a working Dual Stack network now, so thanks for your comments and
> help.
Thank you for letting us know Jim. Glad you got it working.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d