Skip to content
Snippets Groups Projects
Commit 7c552da5 authored by ale's avatar ale
Browse files

Move the reject rule for INVALID packets after the ICMP ones 

Otherwise ICMPv6 UNTRACKED connections won't work in some circumstances.
parent 95583dc7
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
conf-dist/filter.d/00base
+ 3
1
View file @ 7c552da5
...@@ -28,7 +28,6 @@ done ...@@ -28,7 +28,6 @@ done
add_rule -A base-input -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT add_rule -A base-input -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
add_rule6 -A base-input -s fe80::/10 -p ipv6-icmp -m icmp6 \ add_rule6 -A base-input -s fe80::/10 -p ipv6-icmp -m icmp6 \
--icmpv6-type 129 -j ACCEPT --icmpv6-type 129 -j ACCEPT
add_rule -A base-input -m conntrack --ctstate INVALID -j DROP
# Enable 6to4 protocol. # Enable 6to4 protocol.
#add_rule4 -A base-input -p ipv6 -j ACCEPT #add_rule4 -A base-input -p ipv6 -j ACCEPT
...@@ -51,6 +50,9 @@ add_rule6 -A base-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 \ ...@@ -51,6 +50,9 @@ add_rule6 -A base-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 \
#add_rule6 -A base-input -s fe80::/10 -d fe80::/10 -p udp -m udp \ #add_rule6 -A base-input -s fe80::/10 -d fe80::/10 -p udp -m udp \
# --sport 547 --dport 546 -j ACCEPT # --sport 547 --dport 546 -j ACCEPT
# This must go after the ICMP v6 matches.
add_rule -A base-input -m conntrack --ctstate INVALID -j DROP
# pre-input (runs before conntrack etc) # pre-input (runs before conntrack etc)
create_chain pre-input create_chain pre-input
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment