iptables and ip6tables

Tim ignored_mailbox at yahoo.com.au
Fri Apr 11 11:29:02 UTC 2008 

On Fri, 2008-04-11 at 11:30 +0200, Antonio M wrote:
> the two are completely different.

Yes, they are.  Which makes me wonder why you expect the configuration
of one to suit the other.

Sure, you might want similar rules (e.g. blocking port 80 for IPv4 and
IPv6), but how they're applied requires instructions suited specifically
for each one.

> I made a crazy try replacing ip6tables content with iptables content
> and I restarted ip6tables but I get:
> ip6tables failed. The error was: ip6tables: Unloading modules: [
> OK  ] 
> ip6tables: Applying firewall rules: ip6tables-restore v1.3.8:
> ip6tables-restore: unable to initialize table 'nat'
> 
> Error occurred at line: 2
> Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more
> information.
> [FALLITO]
> 
> why?? how iptables and ip6tables should match??? 

Rules perhaps, but the commands to set the rules, no.

[root at suspishus ~]# cd /etc/sysconfig/
[root at suspishus sysconfig]# diff ip6tables iptables
10,13c10,13
< -A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT
< -A RH-Firewall-1-INPUT -m ipv6header --header 50 -j ACCEPT
< -A RH-Firewall-1-INPUT -m ipv6header --header 51 -j ACCEPT
< -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
---
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
23,24c23,24
< -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
< -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
---
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited

This shows the differences between the two configuration files.  You can
see that the IPv6 version uses different addressing schemes and some
specific IPv6 commands.

You seem to be comparing a backup file with a current file.  And you
haven't said what you've used to set your rules.

If you're hand writing your rules, you can simply wipe out the stored
configuration and start again.  If you're using a tool to configure
them, you can probably do the same.

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the users mailing list