[CentOS] IPv6, HE tunnel and ip6tables problems

CentOS 5.5, fully patched.

I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine.

Until I try to set up an ip6tables firewall.

eg if I try to view https://dnssec.surfnet.nl/?p=464 then the page never displays and the firewall shows kernel: IN=sit1 OUT=eth0 SRC=2001:0610:0001:40cd:0145:0100:0186:0033 DST=my.machine LEN=80 TC=0 HOPLIMIT=56 FLOWLBL=0 PROTO=TCP SPT=443 DPT=40367 WINDOW=5712 RES=0x00 ACK SYN URGP=0

I also see some DNS issues kernel: IN=sit1 OUT=eth0 SRC=2001:0620:0000:0009:0000:0000:0000:1103 DST=my.machine LEN=542 TC=0 HOPLIMIT=54 FLOWLBL=0 FRAG:1232 ID:0086942f PROTO=UDP (the source address here is ns1.zurich.surf.net).

I'm wondering if this is due to fragmentation, but I'm only guessing. The dnssec page refered to above indicates there may be a fragment re-assembly issue causing ip6tables problems.

Now I'm a newbie to IPv6 so I might be making a mistake. This is my firewall script.

#!/bin/bash IPT6="/sbin/ip6tables" PUBIF="sit1" LOCAL="eth0"

echo "Starting IPv6 firewall..." $IPT6 -F $IPT6 -X $IPT6 -t mangle -F $IPT6 -t mangle -X

#unlimited access to loopback $IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A OUTPUT -o lo -j ACCEPT

# Defaults $IPT6 -P INPUT DROP $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD DROP

both() { $IPT6 -A INPUT $@ $IPT6 -A FORWARD $@ }

# Allow full outgoing connection but no incomming stuff both -i $LOCAL -j ACCEPT both -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming ICMP ping pong stuff both -p ipv6-icmp -j ACCEPT

# IP6 DNS both -i $PUBIF -p tcp --destination-port 53 -j ACCEPT both -i $PUBIF -p udp --destination-port 53 -j ACCEPT both -i $PUBIF -p tcp --source-port 53 -j ACCEPT both -i $PUBIF -p udp --source-port 53 -j ACCEPT

# IP6 from known good machine that I want to access internal network both -i $PUBIF -p tcp --source remote.machine -j ACCEPT both -i $PUBIF -p udp --source remote.machine -j ACCEPT

# log and drop everything else both -i $PUBIF -j LOG both -i $PUBIF -j DROP

It might be that I need to compile a generic kernel; apparently > 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.

Maybe CentOS 6 (*nudge nudge*) will work :-)

I'm not sure I want to leave my home network on IPv6 without a firewall; not sure I trust all the machines I have on local network to be safe from remote probes!

I wonder if anyone has any suggestions...

Thanks!