Marcus Rückert wrote:
On Wed, 20 May 2015 11:30:23 +0200 Per Jessen <per@computer.org> wrote:
AFAICT, iptables and ip6tables operate on two separate tables, one for ipv4 and one for ipv6? Certainly, when I list the tables, the contents are different.
It seems to me that 'iptables' ought to work with both of these formats:
iptables -A INPUT -p tcp -s 192.168.77.77 -j DROP iptables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The latter format is not recognised by iptables.
Nor surprisingly though, it works with ip6tables:
ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ?
I wouldnt count on it.
Me neither.
also using the ipv4 mapped into ipv6 is discouraged for servers anyway. bind services properly to ipv6 and ipv4.
Yeah, we do too - it's more for logging and storage purposes (and then reusing those data). For instance, we would like to log addresses in one single format such that any subsequent processing does not need to work out if it's ipv4 or ipv6. vsftpd already does this, that's where I spotted this issue - failed logins are logged like this: vsftpd[18638]: [testuser123] FAIL LOGIN: Client "::ffff:192.168.77.77" vsftpd[9695]: [admin_com] FAIL LOGIN: Client "2001:db8:bdfe::706f:bdfe" /Per -- Per Jessen, Zürich (10.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org