[opensuse] ip6?tables and ipv[46] addresses ?
AFAICT, iptables and ip6tables operate on two separate tables, one for ipv4 and one for ipv6? Certainly, when I list the tables, the contents are different. It seems to me that 'iptables' ought to work with both of these formats: iptables -A INPUT -p tcp -s 192.168.77.77 -j DROP iptables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP The latter format is not recognised by iptables. Nor surprisingly though, it works with ip6tables: ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ? -- Per Jessen, Zürich (9.3°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 20 May 2015 11:30:23 +0200 Per Jessen <per@computer.org> wrote:
AFAICT, iptables and ip6tables operate on two separate tables, one for ipv4 and one for ipv6? Certainly, when I list the tables, the contents are different.
It seems to me that 'iptables' ought to work with both of these formats:
iptables -A INPUT -p tcp -s 192.168.77.77 -j DROP iptables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The latter format is not recognised by iptables.
Nor surprisingly though, it works with ip6tables:
ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ?
I wouldnt count on it. also using the ipv4 mapped into ipv6 is discouraged for servers anyway. bind services properly to ipv6 and ipv4. for ipv6 it means binding with IPV6_V6ONLY. how you do that depends on the server software. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Rückert wrote:
On Wed, 20 May 2015 11:30:23 +0200 Per Jessen <per@computer.org> wrote:
AFAICT, iptables and ip6tables operate on two separate tables, one for ipv4 and one for ipv6? Certainly, when I list the tables, the contents are different.
It seems to me that 'iptables' ought to work with both of these formats:
iptables -A INPUT -p tcp -s 192.168.77.77 -j DROP iptables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The latter format is not recognised by iptables.
Nor surprisingly though, it works with ip6tables:
ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ?
I wouldnt count on it.
Me neither.
also using the ipv4 mapped into ipv6 is discouraged for servers anyway. bind services properly to ipv6 and ipv4.
Yeah, we do too - it's more for logging and storage purposes (and then reusing those data). For instance, we would like to log addresses in one single format such that any subsequent processing does not need to work out if it's ipv4 or ipv6. vsftpd already does this, that's where I spotted this issue - failed logins are logged like this: vsftpd[18638]: [testuser123] FAIL LOGIN: Client "::ffff:192.168.77.77" vsftpd[9695]: [admin_com] FAIL LOGIN: Client "2001:db8:bdfe::706f:bdfe" /Per -- Per Jessen, Zürich (10.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-05-20 13:04:23 +0200, Per Jessen wrote:
Yeah, we do too - it's more for logging and storage purposes (and then reusing those data). For instance, we would like to log addresses in one single format such that any subsequent processing does not need to work out if it's ipv4 or ipv6. vsftpd already does this, that's where I spotted this issue - failed logins are logged like this:
vsftpd[18638]: [testuser123] FAIL LOGIN: Client "::ffff:192.168.77.77" vsftpd[9695]: [admin_com] FAIL LOGIN: Client "2001:db8:bdfe::706f:bdfe"
wrong approach imho. dont try to force everything into that ugly mapped format. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Rueckert wrote:
On 2015-05-20 13:04:23 +0200, Per Jessen wrote:
Yeah, we do too - it's more for logging and storage purposes (and then reusing those data). For instance, we would like to log addresses in one single format such that any subsequent processing does not need to work out if it's ipv4 or ipv6. vsftpd already does this, that's where I spotted this issue - failed logins are logged like this:
vsftpd[18638]: [testuser123] FAIL LOGIN: Client "::ffff:192.168.77.77" vsftpd[9695]: [admin_com] FAIL LOGIN: Client "2001:db8:bdfe::706f:bdfe"
wrong approach imho. dont try to force everything into that ugly mapped format.
What would you do instead? Always having to do "if ipv4 then else ipv6" quickly becomes tiresome, doesn't matter if it's bash, php or c-code. Anyway, with vsftpd I guess we have little choice :-) -- Per Jessen, Zürich (10.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-05-20 13:30:27 +0200, Per Jessen wrote:
What would you do instead? Always having to do "if ipv4 then else ipv6" quickly becomes tiresome, doesn't matter if it's bash, php or c-code.
exactly that. handle each properly and hope IPv4 will die at some point.
Anyway, with vsftpd I guess we have little choice :-)
true. maybe ... if you run it via some kind of xinetd you can bind the ipv6 socket with v6only flag and then and second service for ipv4. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Rueckert wrote:
On 2015-05-20 13:30:27 +0200, Per Jessen wrote:
What would you do instead? Always having to do "if ipv4 then else ipv6" quickly becomes tiresome, doesn't matter if it's bash, php or c-code.
exactly that. handle each properly and hope IPv4 will die at some point.
Haha, probably not in our life times.
Anyway, with vsftpd I guess we have little choice :-)
true. maybe ... if you run it via some kind of xinetd you can bind the ipv6 socket with v6only flag and then and second service for ipv4.
Hmm, that's an interesting idea, thanks. -- Per Jessen, Zürich (11.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/20/2015 05:30 AM, Per Jessen wrote:
ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ?
No. If you use Wireshark, you'll see that when you try to access ::ffff:192.168.77.77 it actually's converted to 192.168.77.77 and the return traffic is also from 192.168.77.77. Don't forget, the device with the address 192.168.77 might not be able to do IPv6 and wouldn't even know what ::ffff:192.168.77.77 means. So, you'll have to filter on 192.168.77.77. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/20/2015 05:30 AM, Per Jessen wrote:
ip6tables -A INPUT -p tcp -s ::ffff:192.168.77.77 -j DROP
The real question is - will the latter actually drop IPv4 traffic from 192.168.77.77 ?
No. If you use Wireshark, you'll see that when you try to access ::ffff:192.168.77.77 it actually's converted to 192.168.77.77 and the return traffic is also from 192.168.77.77. Don't forget, the device with the address 192.168.77 might not be able to do IPv6 and wouldn't even know what ::ffff:192.168.77.77 means. So, you'll have to filter on 192.168.77.77.
Yeah, that's my conclusion too. It's a pity iptables doesn't accept the mapped address form. Oh well. -- Per Jessen, Zürich (11.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
James Knott -
Marcus Rueckert -
Marcus Rückert
-
Per Jessen