[Systems] Strange IPv6 behavior on pootle
Bernie Innocenti
bernie at codewiz.org
Wed Dec 22 16:06:24 EST 2010
We're tracing an odd ipv6 connectivity issue between two machines
communicating through your 6to4 gateway. The two endpoints are:
pootle 140.186.70.106 2002:8cba:466a::1
jita 18.85.44.120 2002:1255:2c78::1
If we try to ssh from pootle to jita, the connection simply hangs. Same
thing happens by telnetting to port 22.
On jita, we can see tunneled ipv6 packets arriving at eth0:
jita:~# tcpdump -i eth0 proto ipv6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:52:30.577659 IP pootle.sugarlabs.org > jita.sugarlabs.org: IP6 2002:8cba:466a::1.33984 > 2002:1255:2c78::1.ssh: Flags [S], seq 2981017253, win 5680, options [mss 1420,sackOK,TS val 1097353256 ecr 0,nop,wscale 7], length 0
14:52:33.573657 IP pootle.sugarlabs.org > jita.sugarlabs.org: IP6 2002:8cba:466a::1.33984 > 2002:1255:2c78::1.ssh: Flags [S], seq 2981017253, win 5680, options [mss 1420,sackOK,TS val 1097353556 ecr 0,nop,wscale 7], length 0
So the problem seems to be on jita.
Mysteriously, if we send any packet on the reverse route from jita to
pootle (even a ping will work), from that moment on everything starts
working! It's really magic.
If you see this problem again, PLEASE DO NOT FIX IT WITH THE ABOVE
WORKAROUND!
My theory is that the current iptables rules are matching the 6to4
packets, and after some traffic travels in the opposite direction, the
stateful rule "RELATED,ESTABLISHED" lets everything pass through.
Here's what the firewall currently looks like:
jita:/etc/cron.daily# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25M 14G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
845 202K ACCEPT icmp -- any any anywhere anywhere
73352 4402K ACCEPT all -- lo any anywhere anywhere
156K 9264K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
3510 202K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
134K 8042K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
7859 472K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:munin
1 60 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8139
14796 885K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:git
3681 220K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:websm
73 4372 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:xmpp-bosh
6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:xmpp-client
44066 2671K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:hpvirtgrp
225 13437 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:xmltec-xmlmail
81 4918 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:XmlIpcRegSvc
138K 9458K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 29M packets, 22G bytes)
pkts bytes target prot opt in out source destination
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Systems
mailing list