Hi everybody,
i think my problem is quit simple, but i´m a little bit
under pressure, and google didn´t help.
i have a firewall machine, with ip6tables running on it, and
behind this firewall there is a webserver with apache2
running.
the network looks like this:
____________________________________________________________
__________________________________
| LAPTOP
|
| ipv6-addr: 2001:4100:1:1:204:dff:fe2b:4f1e/64 gw:
2001:4100:1:1:207:8dff:fef0:a900/64 |
------------------------------------------------------------
----------------------------------
| |
| |
| |
______________________________________|_____|_______________
________________
| fasteth0/0 ipv6-addr:
2001:4100:1:1:207:8dff:fef0:a900/64 |
| CISCO
|
| fasteth1/0 ipv6-addr:
2001:4200:2:1:231:b5ff:fe67:8900/64 |
------------------------------------------------------------
----------------
| |
| |
| |
______________________________________|_____|_______________
_____________________________________
| eth0 ipv6-addr: 2001:4200:2:1:20b:4eff:fe5e:c69d/64
gw: 2001:4200:2:1:231:b5ff:fe67:8900 |
| FIREWALL
|
| eth1 ipv6-addr: 2001:4200:3:1:203:75ff:fee8:3275/64 +
route 2001:4200:3:1::/48 -> eth1 |
------------------------------------------------------------
-------------------------------------
| |
| |
| |
______________________________________|_____|_______________
____________________________________
| eth0 ipv6-addr: 2001:4200:3:1:204:b4ff:fec7:faa4/64
gw: 2001:4200:3:1:203:75ff:fee8:3275 |
| APACHE
|
------------------------------------------------------------
------------------------------------
routing is fine, without ip6tables everything works.
my problem is, that packets from the LAPTOP to the APACHE
(and vice-versa) go through all 3 chains INPUT, OUTPUT and
FORWARD.
if i don´t make any rules, i have to set all 3 chains to
ACCEPT to get packets through.
if i have INPUT and OUTPUT on drop (FORWARD is all the time
on ACCEPT), i need to allow especially packets to or from
port 80 or icmpv6 on the INPUT and OUTPUT chain. when i set
one of these both chains to DROP, without any special rule,
nothing works, not the http-request or even the icmpv6. i
thought all the time that the INPUT and OUTPUT chains are
just for packets
which are for or from the local machine. could it be that
the firewall threats packets like this, because the APACHE
is in the same net
on a connected interface?
when i allow packets to the APACHE in the INPUT chain (lets
assume the firewall routes packets through this chain
because itself is in the same net)
(default policy is drop) and set the OUTPUT and FORWARD
chains to ACCEPT, it still doesn´t work.
as i understand the http://netfilter.org/documentation/HOWT
O/de/packet-filtering-HOWTO-6.html normaly packets,
which are not destinated to the machine itself just go
through the FORWARD-chain. it´s also under point #3 in this
howto:
If forwarding is enabled, and the packet is destined for
another network interface (if you have another one),
then the packet goes rightwards on our diagram to the
FORWARD chain. If it is ACCEPTed, it will be sent out.
If you have ANY questions about the net, or the
routingtables on special machines, please ask.
I don´t get it, any idea, HOWTO-link, explanation, or
solution *g* would be very nice. i´m willing to RTFM, but i
don´t know where this man is.
Thanks in advance. Philip
|
blackhole.kfki.hu, kadlec