Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?

Håvard Rabbe hrabbe at me.com
Fri Feb 24 02:36:24 CET 2017 

hmm. Now its not working again. The ipv6 autoconfiguration is let threw the vpn. Now I have set up two vpn machines bridging two networks together.
These two machines connects each other with ipv6

I dont understand this. Do you have any ideas?

Best Regards,

Håvard Rabbe


On Feb 23, 2017, at 03:56 PM, Håvard Rabbe <hrabbe at me.com> wrote:

hi
It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card

root at JOTVPN:~# brctl show
bridge name bridge id STP enabled    interfaces
bridge 8000.000c29638a7e no           eth0
                                                                  vpn

so I tried the rules you sent me on the bridge card an now it works. But why is not both rules applied on outgoing traffic? 

Thank you so much for your help to get this working :-)

Best Regards,

Håvard Rabbe

root at JOTVPN:~# ip6tables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -o bridge -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A FORWARD -i bridge -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP

On Feb 23, 2017, at 10:48 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:

On Wed, Feb 22, 2017 at 08:51:49PM +0000, Håvard Rabbe wrote:

thank you for looking in to this. I haven't tried it before now. I cant get it to work.

after running the commands you suggest I get this when I run ip6tables --list-rules

root at JOTVPN:~# ip6tables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP

Do you have any other ideas?

It could be I have the direction of the ICMP messages wrong. Try adding:

ip6tables -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
ip6tables -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP

-- 
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170224/541de91e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170224/541de91e/attachment.sig>

More information about the tinc mailing list