ip6tables with raw table(no conntrack) drop fragmented packet
Larry Larson
larsonlarry66 at gmail.com
Sat Oct 1 03:55:18 UTC 2016
Greetings,
I've followed instructions in this BIND Knowledge base article and
installed ip6tables on my DNS server, using raw table with no conntrack for
DNS:
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
But for IPv6 it drops fragmented packets, for example this query fails once
the ip6table is on:
dig +dnssec isc.org any @2001:500:60::30
Everything works great for IPv4 with similar rules, can someone help shed
some light on what might be wrong:
# Firewall configuration written by system-config-firewall
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
-A PREROUTING -p udp -m udp --sport 53 -j NOTRACK
-A OUTPUT -p udp -m udp --dport 53 -j NOTRACK
-A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#tcp dns
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --sport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Thanks in advance!!
Larry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160930/83c4f557/attachment.html>
More information about the bind-users
mailing list