[CentOS] IPv6, HE tunnel and ip6tables problems

Thu Jan 13 12:58:41 UTC 2011
David Sommerseth <dazo at users.sourceforge.net>

On 11/01/11 21:12, Blake Hudson wrote:
> 
> 
> -------- Original Message  --------
> Subject: [CentOS] IPv6, HE tunnel and ip6tables problems
> From: Stephen Harris <lists at spuddy.org>
> To: CentOS mailing list <centos at centos.org>
> Date: Tuesday, January 11, 2011 1:09:25 PM
>> CentOS 5.5, fully patched.
>>
>> I have a HE tunnel (tunnelbroker.net) IPv6 tunnel.  This works pretty
>> well and is simple to setup.  Everything works fine.
>>
>> Until I try to set up an ip6tables firewall.
>>
> ...
>> It might be that I need to compile a generic kernel; apparently >
>> 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18.
>>
>> Maybe CentOS 6 (*nudge nudge*) will work :-)
>>
>> I'm not sure I want to leave my home network on IPv6 without a firewall;
>> not sure I trust all the machines I have on local network to be safe
>> from remote probes!
>>
>> I wonder if anyone has any suggestions...
>>
>> Thanks!
>>
> 
> I have been waiting for RHEL6/CentOS6 because, as I understand it,
> CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic
> would have to have a default ACCEPT policy or only specific applications
> allowed (based on source port) on a case by case basis. Perhaps this is
> the issue you are running into. However, I would think you'd receive an
> error attempting to set "--state ESTABLISHED,RELATED" within iptables if
> this were the case.

That matches what I've heard and experienced as well.  I heard something
that backporting the changes from the 2.6.20-something kernel down to
2.6.18 where statefull IPv6 filtering arrived, was too big or too risky
to the stability.  I don't know the details, just something I caught on
IRC or so.

> I would be delighted if someone could share their experiences with ip6
> and CentOS5, especially from a security or service provider standpoint.

My experiences is that IPv6 in CentOS5 works very well, but is not
optimal due to lack of stateful firewalling.  However, I'm certain that
is solved in CentOS6/RHEL6.


kind regards,

David Sommerseth