thr3ads.net - Shorewall users - diagnosing IPv6 connection loss -- why's this ping6 failing? [Nov 2014]

If this information is useful, please help other people find it:
Share via:

PGNd

2014-Nov-13 00:14 UTC

diagnosing IPv6 connection loss -- why's this ping6 failing?

I'm starting to troubleshoot loss of tunnelbroker-provided IPv6 on an edge,
shorewall6-lite box; need a hand.

On the shorewall machine, @eth0, the external interface,

	ifconfig eth0 | grep "inet6 addr" | grep "Scope:Global"
		inet6 addr: 2001:XXX:XXX4:XXX::2/64 Scope:Global

and

	shorewall6-lite show routing | egrep "^2001|^default"
		2001:XXX:XXX5:XXX::/64 dev eth1 proto kernel metric 256
		2001:XXX:XXX4:XXX::/64 dev sit1 proto kernel metric 256
		2001:XXX:XXX4:XXX::/64 dev eth0 proto kernel metric 256
		default via 2001:XXX:XXX4:XXX::1 dev sit1 metric 1024

In my shorewall6-lite rules, I have added

	Ping(ACCEPT)   net:[2001:XXX:XXX4:XXX::2]/64,[2001:XXX:XXX5:XXX::]/64   all
	Ping(ACCEPT)   net                                                      all   -
-   -   -   5/sec:100

On the shorewall machine, ping6 to self

	ping6 -c1 2001:XXX:XXX4:XXX::2
		PING 2001:XXX:XXX4:XXX::2(2001:XXX:XXX4:XXX::2) 56 data bytes
		64 bytes from 2001:XXX:XXX4:XXX::2: icmp_seq=1 ttl=64 time=0.157 ms

		--- 2001:XXX:XXX4:XXX::2 ping statistics ---
		1 packets transmitted, 1 received, 0% packet loss, time 0ms
		rtt min/avg/max/mdev = 0.157/0.157/0.157/0.000 ms

but, to the other end of the tunnel

	ping6 -c1 2001:XXX:XXX4:XXX::1
		PING 2001:XXX:XXX4:XXX::1(2001:XXX:XXX4:XXX::1) 56 data bytes
		From 2001:XXX:XXX4:XXX::2 icmp_seq=1 Destination unreachable: Address
unreachable

		--- 2001:XXX:XXX4:XXX::1 ping statistics ---
		0 packets transmitted, 0 received, +1 errors

and in shorewall log

	...
	Nov 12 15:47:38 test kernel: [  976.493756] SW:[P6]OUTPUT:REJECT IN= OUT=eth0
SRC=2001:0XXX:XXX4:XXX0:0000:0000:0000:0002
DST=2001:0XXX:XXX4:XXX0:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0
PROTO=ICMPv6 TYPE=128 CODE=0 ID=3994 SEQ=1
	...

To my read, the "Ping(ACCEPT)" above should be allowing that traffic,
not REJECTing it.  I can't manage to see the problem.

What's wrong here?  What additional diagnostic can/should I look at?

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

Shorewall users - Nov 2014 - diagnosing IPv6 connection loss -- why's this ping6 failing?

diagnosing IPv6 connection loss -- why's this ping6 failing?