I have a server that I have set up with 2 interfaces, one which has an
IPv4 and IPv6 address (dual stack) connecting to the Internet, the other
also configured dual-stack to a private LAN. The server is running
Shorewall and Shorewall6, configured with minimal restrictions. The server
is able to freely communicate with the Internet using either IPv6 or IPv4
(check IPv6 by going to ipv6.google.com)
The server runs radvd, and a Windows7 client on the private network gets
both an IPv4 and a Global IPv6 address (as well as the usual DHCP-served
IPv4 address). The client can access IPv4 websites on the Internet via the
server (Shorewall is forwarding packets OK). However, the client cannot
access IPv6 sites on the Internet, despite those same sites being
accessible by a browser on the server.
The client can ping the server on its IPv6 private interface but not its
IPv6 public interface. Traceroute from the client to the external IPv6
address shows the route as far as the private IPv6 address, but fails to
get across the kernel to the public IPv6 address.
Routing looks OK, the client has a default IPv6 route to the Server, and
the server has a default static route out through my IPv6 provider.
I conclude from the information above that the server is operating two
dual-stack interfaces correctly, stateless autoconfiguration is working
correctly, and while shorewall is forwarding IPv4 across the kernel,
shorewall6 is not forwarding anything. The Server is running Debian 5.06,
with both Shorewall and Shorewall6 running vers 4.4.11.6
Shorewall6 dump, ip addr show, ip route show and ip -6 route show
attached below
Any guidance would be much appreciated!
Jim
Bastion6:/etc/shorewall# shorewall6 dump
Shorewall6 4.4.11.6 Dump at Bastion6 - Mon Jan 17 19:50:04 GMT 2011
Shorewall 4.4.11.6
Counters reset Mon Jan 17 19:16:36 GMT 2011
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
242 22488 dynamic all * * ::/0 ::/0
ctstate INVALID,NEW
47 9937 net2fw all eth0 * ::/0 ::/0
221 20664 loc2fw all eth1 * ::/0 ::/0
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all * * ::/0 ::/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
6 424 dynamic all * * ::/0 ::/0
ctstate INVALID,NEW
0 0 net2all all eth0 eth1 ::/0 ::/0
6 424 loc2net all eth1 eth0 ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all * * ::/0 ::/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
40 6794 fw2net all * eth0 ::/0 ::/0
223 20832 fw2loc all * eth1 ::/0 ::/0
0 0 ACCEPT all * lo ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all * * ::/0 ::/0
[goto]
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 1 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 2 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 3 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 4 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 133 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 134 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 135 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 136 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 137 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 141 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 142 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 130 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 131 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 132 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 143 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 148 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 149 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 151 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 152 /* Needed ICMP types (RFC4890) */
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0
ipv6-icmp type 153 /* Needed ICMP types (RFC4890) */
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0 ::/0
tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0 ::/0
2 176 dropBcast all * * ::/0 ::/0
0 0 dropInvalid all * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
multiport dports 135,445 /* SMB */
0 0 DROP udp * * ::/0 ::/0
udp dpts:137:139 /* SMB */
0 0 DROP udp * * ::/0 ::/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp * * ::/0 ::/0
multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
udp spt:53 /* Late DNS Replies */
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp * * ::/0 ::/0
tcp dpt:113 /* Auth */
0 0 AllowICMPs icmpv6 * * ::/0 ::/0
2 176 dropBcast all * * ::/0 ::/0
0 0 dropInvalid all * * ::/0 ::/0
0 0 reject udp * * ::/0 ::/0
multiport dports 135,445 /* SMB */
0 0 reject udp * * ::/0 ::/0
udp dpts:137:139 /* SMB */
0 0 reject udp * * ::/0 ::/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp * * ::/0 ::/0
multiport dports 135,139,445 /* SMB */
0 0 dropNotSyn tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
udp spt:53 /* Late DNS Replies */
Chain all2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
2 176 Reject all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all * * ::/0 ::/0
[goto]
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
2001:470:1f09:ac6::/128
0 0 DROP all * * ::/0
2001:470:1f09:ac6:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ::/0
2001:470:9363::/128
0 0 DROP all * * ::/0
2001:470:9363:0:ffff:ffff:ffff:ff80/121
4 352 DROP all * * ::/0 ff00::/8
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0 ::/0
ctstate INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp * * ::/0 ::/0
tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source
destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
221 20656 ACCEPT icmpv6 * * ::/0 ::/0
2 176 all2all all * * ::/0 ::/0
[goto]
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
27 5842 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp * * ::/0 ::/0
udp dpt:53 /* DNS */
0 0 ACCEPT tcp * * ::/0 ::/0
tcp dpt:53 /* DNS */
9 616 ACCEPT icmpv6 * * ::/0 ::/0
4 336 ACCEPT all * * ::/0 ::/0
0 0 all2all all * * ::/0 ::/0
[goto]
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 tcpflags tcp * * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp * * ::/0 ::/0
tcp dpt:22 /* SSH */
0 0 ACCEPT icmpv6 * * ::/0 ::/0
ipv6-icmp type 128 /* Ping */
221 20664 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
6 424 tcpflags tcp * * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
6 424 ACCEPT all * * ::/0 ::/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0 ::/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all * * ::/0 ::/0
LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:''
0 0 DROP all * * ::/0 ::/0
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject all * * ::/0 ::/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 tcpflags tcp * * ::/0 ::/0
0 0 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
2 176 Drop all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all * * ::/0 ::/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
26 8113 tcpflags tcp * * ::/0 ::/0
26 8113 ACCEPT all * * ::/0 ::/0
ctstate RELATED,ESTABLISHED
0 0 DROP icmpv6 * * ::/0 ::/0
ipv6-icmp type 128 /* Ping */
19 1648 ACCEPT icmpv6 * * ::/0 ::/0
2 176 net2all all * * ::/0 ::/0
[goto]
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * * ::/0
2001:470:1f09:ac6::/128
0 0 DROP all * * ::/0
2001:470:1f09:ac6:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ::/0
2001:470:9363::/128
0 0 DROP all * * ::/0
2001:470:9363:0:ffff:ffff:ffff:ff80/121
0 0 DROP all * * ff00::/8 ::/0
0 0 DROP 2 * * ::/0 ::/0
0 0 REJECT tcp * * ::/0 ::/0
reject-with tcp-reset
0 0 REJECT udp * * ::/0 ::/0
reject-with icmp6-port-unreachable
0 0 REJECT icmpv6 * * ::/0 ::/0
reject-with icmp6-addr-unreachable
0 0 REJECT all * * ::/0 ::/0
reject-with icmp6-adm-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp * * ::/0 ::/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp * * ::/0 ::/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp * * ::/0 ::/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp * * ::/0 ::/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp * * ::/0 ::/0
[goto] tcp spt:0 flags:0x17/0x02
Log (/var/log/messages)
Mangle Table
Chain PREROUTING (policy ACCEPT 274 packets, 31025 bytes)
pkts bytes target prot opt in out source
destination
274 31025 tcpre all * * ::/0 ::/0
Chain INPUT (policy ACCEPT 268 packets, 30601 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 6 packets, 424 bytes)
pkts bytes target prot opt in out source
destination
6 424 MARK all * * ::/0 ::/0
MARK and 0xffffff00
6 424 tcfor all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 263 packets, 27626 bytes)
pkts bytes target prot opt in out source
destination
263 27626 tcout all * * ::/0 ::/0
Chain POSTROUTING (policy ACCEPT 467 packets, 47058 bytes)
pkts bytes target prot opt in out source
destination
467 47058 tcpost all * * ::/0 ::/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
Raw Table
Chain PREROUTING (policy ACCEPT 274 packets, 31025 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 263 packets, 27626 bytes)
pkts bytes target prot opt in out source
destination
Conntrack Table (6 out of 32768)
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:1f09:ac6:206:4fff:fe38:fa78/64 scope global dynamic
valid_lft 2588989sec preferred_lft 601789sec
inet6 2001:470:1f09:ac6::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::206:4fff:fe38:fa78/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:9363::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::214:2aff:fe7f:7a8/64 scope link
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
560 8 0 0 0 0
TX: bytes packets errors dropped carrier collsns
560 8 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:06:4f:38:fa:78 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3777714 4367 0 0 0 0
TX: bytes packets errors dropped carrier collsns
675482 4570 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:14:2a:7f:07:a8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
72846537 1125953 0 0 0 0
TX: bytes packets errors dropped carrier collsns
591049690 1160865 0 0 0 0
/proc
/proc/version = Linux version 2.6.26-2-686 (Debian 2.6.26-26lenny1)
(dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian
4.1.2-25)) #1 SMP Thu Nov 25 01:53:57 UTC 2010
/proc/sys/net/ipv6/conf/all/forwarding = 1
/proc/sys/net/ipv6/conf/all/proxy_ndp = 0
/proc/sys/net/ipv6/conf/default/forwarding = 1
/proc/sys/net/ipv6/conf/default/proxy_ndp = 0
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/eth0/proxy_ndp = 0
/proc/sys/net/ipv6/conf/eth1/forwarding = 1
/proc/sys/net/ipv6/conf/eth1/proxy_ndp = 0
/proc/sys/net/ipv6/conf/lo/forwarding = 1
/proc/sys/net/ipv6/conf/lo/proxy_ndp = 0
Routing Rules
0: from all lookup local
32766: from all lookup main
Table local:
local ::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376
hoplimit 4294967295
local 2001:470:1f09:ac6:: via :: dev lo proto none metric 0 mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6::2 via :: dev lo proto none metric 0 mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:1f09:ac6:206:4fff:fe38:fa78 via :: dev lo proto none
metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local 2001:470:9363:: via :: dev lo proto none metric 0 mtu 16436
advmss 16376 hoplimit 4294967295
local 2001:470:9363::1 via :: dev lo proto none metric 0 mtu 16436
advmss 16376 hoplimit 4294967295
local fe80:: via :: dev lo proto none metric 0 mtu 16436 advmss 16376
hoplimit 4294967295
local fe80:: via :: dev lo proto none metric 0 mtu 16436 advmss 16376
hoplimit 4294967295
local fe80::206:4fff:fe38:fa78 via :: dev lo proto none metric 0 mtu
16436 advmss 16376 hoplimit 4294967295
local fe80::214:2aff:fe7f:7a8 via :: dev lo proto none metric 0 mtu
16436 advmss 16376 hoplimit 4294967295
ff02::1 via ff02::1 dev eth1 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff02::1 via ff02::1 dev eth0 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
Table main:
2001:470:1f09:ac6::/64 dev eth0 metric 256 expires 2589149sec mtu 1500
advmss 1440 hoplimit 4294967295
2001:470:9363::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:470:1f09:ac6::1 dev eth0 metric 1 mtu 1500 advmss 1440
hoplimit 4294967295
Neighbors
2001:470:1f09:ac6::1 dev eth0 lladdr 00:21:d8:13:29:2a router STALE
Modules
ip6table_filter 2432 1
ip6table_mangle 2400 1
ip6table_raw 1952 0
ip6_tables 11376 4
ip6t_LOG,ip6table_raw,ip6table_mangle,ip6table_filter
ip6t_LOG 5508 6
ip6t_REJECT 3488 4
nf_conntrack 55540 32
nf_conntrack_ipv6,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 3808 1 nf_nat_amanda
nf_conntrack_ftp 6852 1 nf_nat_ftp
nf_conntrack_h323 44712 1 nf_nat_h323
nf_conntrack_ipv4 12268 19 iptable_nat,nf_nat
nf_conntrack_ipv6 12084 13
nf_conntrack_irc 5124 1 nf_nat_irc
nf_conntrack_netbios_ns 2368 0
nf_conntrack_netlink 14176 0
nf_conntrack_pptp 5476 1 nf_nat_pptp
nf_conntrack_proto_gre 4416 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 6600 0
nf_conntrack_sane 4348 0
nf_conntrack_sip 16124 1 nf_nat_sip
nf_conntrack_tftp 4180 1 nf_nat_tftp
nf_nat 15576 13
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda 1824 0
nf_nat_ftp 2528 0
nf_nat_h323 5728 0
nf_nat_irc 2080 0
nf_nat_pptp 2880 0
nf_nat_proto_gre 2212 1 nf_nat_pptp
nf_nat_sip 5440 0
nf_nat_snmp_basic 8296 0
nf_nat_tftp 1568 0
x_tables 13284 48
ip6t_LOG,ip6t_REJECT,ip6_tables,xt_time,xt_connlimit,xt_realm,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,ip_tables
xt_CLASSIFY 1696 0
xt_comment 1664 60
xt_connlimit 3720 0
xt_connmark 2368 0
xt_CONNMARK 2944 0
xt_conntrack 3488 29
xt_dccp 2696 0
xt_dscp 2368 0
xt_DSCP 2944 0
xt_hashlimit 9360 0
xt_helper 2112 0
xt_iprange 2272 0
xt_length 1760 0
xt_limit 2180 0
xt_mac 1728 0
xt_mark 1952 0
xt_MARK 2304 2
xt_multiport 2816 8
xt_NFLOG 1824 0
xt_NFQUEUE 1792 0
xt_owner 2560 0
xt_physdev 2352 0
xt_pkttype 1728 0
xt_policy 2848 0
xt_realm 1536 0
xt_state 2016 0
xt_tcpmss 1984 0
xt_tcpudp 2816 39
xt_time 2528 0
Shorewall6 has detected the following ip6tables/netfilter capabilities:
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Not available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Not available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Not available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
IPMARK Target: Not available
LOG Target: Available
TPROXY Target: Not available
FLOW Classifier: Available
fwmark route mask: Available
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp6 0 0 :::5900 :::* LISTEN
3661/vino-server
tcp6 0 0 ::1:631 :::* LISTEN
3010/cupsd
tcp6 0 236 192.168.123.1:5900 192.168.123.11:49165
ESTABLISHED 3661/vino-server
udp6 0 0 :::5353 :::*
2982/avahi-daemon:
udp6 0 0 :::59134 :::*
2982/avahi-daemon:
Bastion6:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:06:4f:38:fa:78 brd ff:ff:ff:ff:ff:ff
inet 81.2.96.39/28 brd 81.2.96.47 scope global eth0
inet6 2001:470:1f09:ac6:206:4fff:fe38:fa78/64 scope global dynamic
valid_lft 2588806sec preferred_lft 601606sec
inet6 2001:470:1f09:ac6::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::206:4fff:fe38:fa78/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:14:2a:7f:07:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.123.1/24 brd 192.168.123.255 scope global eth1
inet6 2001:470:9363::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::214:2aff:fe7f:7a8/64 scope link
valid_lft forever preferred_lft forever
Bastion6:/etc/shorewall# ip route show
81.2.96.32/28 dev eth0 proto kernel scope link src 81.2.96.39
192.168.123.0/24 dev eth1 proto kernel scope link src 192.168.123.1
default via 81.2.96.33 dev eth0
Bastion6:/etc/shorewall# ip -6 route show
2001:470:1f09:ac6::/64 dev eth0 metric 256 expires 2588904sec mtu 1500
advmss 1440 hoplimit 4294967295
2001:470:9363::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:470:1f09:ac6::1 dev eth0 metric 1 mtu 1500 advmss 1440
hoplimit 4294967295
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl