Sponsored Content
Special Forums Cybersecurity How to use Netfilter properly with IPv6? Post 302986214 by SInt on Tuesday 22nd of November 2016 05:17:31 AM
Old 11-22-2016
How to use Netfilter properly with IPv6?

Hello,

on a PC with Debian 8 I try to use a Bash script with Netfilter rules so that only traffic goes in and out that is wanted. For that I set all 3 default policies to "drop". The machine uses DHCP to get its IP, gateway and DNS. And I never checked so I was quite surprised that my router/modem assings an IPv6 and not only an IPv4. I wonder if I need additional rules for IPv6. Could somebody explain that problem to me?


Greetings,
SInt
 

9 More Discussions You Might Find Interesting

1. Programming

Help in extending netfilter

Hi everybody, I have to write a module for matching in netfilter , extending the netfilter but I'm facing some problems can somebody guide me in that. I know that I need to write matching module working in kernel space and a program in userspace. I went through the HOWTO on netfilter-hacking but... (0 Replies)
Discussion started by: Trusted Penguin
0 Replies

2. Programming

Problem in registering new netfilter target module

Friends I'm facing a big problem trying to extend the netfilter. Somone please help me with your quick reply (any hint) as I've to meet a deadline. My problem is that I've written a new netfilter target module and its corresponding userspace program for iptables to change the packet type of a... (0 Replies)
Discussion started by: Rakesh Ranjan
0 Replies

3. Programming

extending netfilter...plz help

Hello friends i'm trying to extend iptables to include a target by which we can change the packet type field of a packet. For this i created a kernel module and a userspace extension. Now i face the problem that when i try to invoke iptable with the target i created i get an error message saying... (1 Reply)
Discussion started by: Rakesh Ranjan
1 Replies

4. IP Networking

netfilter connection tracking

hi, i'm using tcpreplay to send a traffic trace to my wireless interface (the trace is been captured by the same interface). It seems as netfilter can't trace connections. Is it possible? (0 Replies)
Discussion started by: littleboyblu
0 Replies

5. Cybersecurity

Netfilter conntracking for P2P protocols (edonkey, bittorent...)

Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol. Thanks guys. (0 Replies)
Discussion started by: nekkro-kvlt
0 Replies

6. Linux

netfilter / iptables

HI, Is the Netfilter and IPtables same? Thanks & Regards Arun (1 Reply)
Discussion started by: Arun.Kakarla
1 Replies

7. Linux

C, LKM, netfilter, PF_PACKET and ARP.

Hello, Everyone knows that with PF_PACKET sockets one can "sniff" a determinated frame from the network device, but just that, see the frame without altering its action on the receiving host. What i want is to "intercept" the incoming frame and pass it through some rules, and if it doesn't pass... (9 Replies)
Discussion started by: Zykl0n-B
9 Replies

8. Cybersecurity

Experience with libvirt netfilter API

Hi all, I would like to get some ideas and opinions on matter of libvirt netfilter application in KVM environment. I am looking for some easy way to control it with an API and possible experience with that and its performance in real life application. Thanks for all ideas (0 Replies)
Discussion started by: smoofy
0 Replies

9. UNIX for Dummies Questions & Answers

Assigning ipv6 to bonding interface - getting old as well as changed ipv6 in ifconfig output

Hi, I have created a bonding bond1 interface with 6 Eth , mode=4. Recently i have changed my old ipv6 to new one and tried to restart as well as reload network service. Post which i can see old as well as changed ipv6 in ifconfig command output. Below are few files and command output for your... (1 Reply)
Discussion started by: omkar.jadhav
1 Replies
SHOREWALL6-NOTRACK(5)						  [FIXME: manual]					     SHOREWALL6-NOTRACK(5)

NAME
notrack - shorewall notrack file SYNOPSIS
/etc/shorewall/notrack DESCRIPTION
The original intent of the notrack file was to exempt certain traffic from Netfilter connection tracking. Traffic matching entries in this file were not to be tracked. The role of the file was expanded in Shorewall 4.4.27 to include all rules tht can be added in the Netfilter raw table. The file supports two different column layouts: FORMAT 1 and FORMAT 2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an additional leading ACTION column. When an entry in the file of this form is encountered, the format of the following entries are assumed to be of the specified format. FORMAT format where format is either 1 or 2. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). ACTION - {NOTRACK|CT:option[:arg,...]} This column is only present when FORMAT = 2. Values other than NOTRACK require CT Targetsupport in your iptables and kernel. Possible values for option and args are: o notrack (no arg) Disables connection tracking for this packet, the same as if NOTRACK has been specified in this column. o helper:name Use the helper identified by the name to this connection. This is more flexible than loading the conntrack helper with preset ports. o ctevents:event,... Only generate the specified conntrack events for this connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not packet mark), natseqinfo, and secmark. o expevents:new Only generate a new expectation events for this connection. o zone:id Assign this packet to zone id and only have lookups done in that zone. By default, packets have zone 0. When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column. SOURCE - {zone[:interface][:address-list]|COMMENT} where zone is the name of a zone, interface is an interface to that zone, and address-list is a comma-separated list of addresses (may contain exclusion - see shorewall-exclusion[1] (5)). Comments may be attached to Netfilter rules generated from entries in this file through the use of COMMENT lines. These lines begin with the word COMMENT; the remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. DEST - [interface|address-list] where interface is the name of a network interface and address-list is a comma-separated list of addresses (may contain exclusion - see shorewall-exclusion[1] (5)). If an interface is given: o It must be up and configured with an IPv4 address when Shorewall is started or restarted. o All routes out of the interface must be configured when Shorewall is started or restarted. o Default routes out of the interface will result in a warning message and will be ignored. These restrictions are because Netfilter doesn't support NOTRACK rules that specify a destination interface (these rules are applied before packets are routed and hence the destination interface is unknown). Shorewall uses the routes out of the interface to replace the interface with an address list corresponding to the networks routed out of the named interface. PROTO - protocol-name-or-number A protocol name from /etc/protocols or a protocol number. DEST PORT(S) (dport) - port-number/service-name-list A comma-separated list of port numbers and/or service names from /etc/services. May also include port ranges of the form low-port:high-port if your kernel and iptables include port range support. SOURCE PORT(S) (sport) - port-number/service-name-list A comma-separated list of port numbers and/or service names from /etc/services. May also include port ranges of the form low-port:high-port if your kernel and iptables include port range support. USER/GROUP (user) - [user][:group] May only be specified if the SOURCE zone is $FW. Specifies the effective user id and or group id of the process sending the traffic. FILES
/etc/shorewall/notrack SEE ALSO
http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) NOTES
1. shorewall-exclusion http://www.shorewall.net/manpages/shorewall-exclusion.html [FIXME: source] 06/28/2012 SHOREWALL6-NOTRACK(5)
All times are GMT -4. The time now is 11:39 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy