Håvard Rabbe
2017-Feb-22 20:51 UTC
Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?
Hi thank you for looking in to this. I haven't tried it before now. I cant get it to work. after running the commands you suggest I get this when I run ip6tables --list-rules root at JOTVPN:~# ip6tables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP Do you have any other ideas? Thanks for your help! Best Regards, Håvard Rabbe On Aug 30, 2016, at 04:39 PM, Guus Sliepen <guus at tinc-vpn.org> wrote: On Sat, Aug 27, 2016 at 11:41:12PM +0000, Håvard Rabbe wrote: Im using tinc to bridge networks together. And im using ebtables to block dhcp traffic for ipv4 on each node in tinc. One of my nodes have recently began using ipv6. The isp is using auto configuration to give out ipv6 addresses. The problem is that every computer in my bridged network is getting ipv6 addresses from that node. The other computers behind the other nodes have no use for ipv6 addresses it gets through the tinc tunnel. Is there a way to block ipv6 auto configuration traffic entering the tinc tunnel on each node? You should be able to block those packets in the FORWARD chain. IPv6 autoconfiguration is done using ICMPv6 packets with types 133 and 134, see: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol. So do something like: ip6tables -A FORWARD -i <vpn interface> -p icmpv6 --icmpv6-type 133 -j DROP ip6tables -A FORWARD -o <vpn interface> -p icmpv6 --icmpv6-type 134 -j DROP -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170222/6568c3e7/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170222/6568c3e7/attachment.sig>
Guus Sliepen
2017-Feb-23 09:48 UTC
Is it possible to block ipv6 auto configuration entering the tinc tunnel?
On Wed, Feb 22, 2017 at 08:51:49PM +0000, Håvard Rabbe wrote:> thank you for looking in to this. I haven't tried it before now. I cant get it to work. > > after running the commands you suggest I get this when I run ip6tables --list-rules > > root at JOTVPN:~# ip6tables --list-rules > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP > -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP > > Do you have any other ideas?It could be I have the direction of the ICMP messages wrong. Try adding: ip6tables -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP ip6tables -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170223/07ce17c2/attachment.sig>
Håvard Rabbe
2017-Feb-23 13:55 UTC
Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?
hi It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card root at JOTVPN:~# brctl show bridge name bridge id STP enabled interfaces bridge 8000.000c29638a7e no eth0 vpn so I tried the rules you sent me on the bridge card an now it works. But why is not both rules applied on outgoing traffic? Thank you so much for your help to get this working :-) Best Regards, Håvard Rabbe root at JOTVPN:~# ip6tables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -o bridge -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP -A FORWARD -i bridge -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP On Feb 23, 2017, at 10:48 AM, Guus Sliepen <guus at tinc-vpn.org> wrote: On Wed, Feb 22, 2017 at 08:51:49PM +0000, Håvard Rabbe wrote: thank you for looking in to this. I haven't tried it before now. I cant get it to work. after running the commands you suggest I get this when I run ip6tables --list-rules root at JOTVPN:~# ip6tables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP Do you have any other ideas? It could be I have the direction of the ICMP messages wrong. Try adding: ip6tables -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP ip6tables -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> _______________________________________________ tinc mailing list tinc at tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170223/a0b7a686/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170223/a0b7a686/attachment.sig>
Reasonably Related Threads
- Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- [Bug 851] New: IPv6 SNAT target with --random doesn't work