[Systems] Strange IPv6 behavior on pootle

Bernie Innocenti bernie at codewiz.org
Wed Dec 22 16:06:24 EST 2010


We're tracing an odd ipv6 connectivity issue between two machines
communicating through your 6to4 gateway. The two endpoints are:

 pootle   140.186.70.106  2002:8cba:466a::1
 jita     18.85.44.120    2002:1255:2c78::1

If we try to ssh from pootle to jita, the connection simply hangs. Same
thing happens by telnetting to port 22.

On jita, we can see tunneled ipv6 packets arriving at eth0:

jita:~# tcpdump -i eth0 proto ipv6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:52:30.577659 IP pootle.sugarlabs.org > jita.sugarlabs.org: IP6 2002:8cba:466a::1.33984 > 2002:1255:2c78::1.ssh: Flags [S], seq 2981017253, win 5680, options [mss 1420,sackOK,TS val 1097353256 ecr 0,nop,wscale 7], length 0
14:52:33.573657 IP pootle.sugarlabs.org > jita.sugarlabs.org: IP6 2002:8cba:466a::1.33984 > 2002:1255:2c78::1.ssh: Flags [S], seq 2981017253, win 5680, options [mss 1420,sackOK,TS val 1097353556 ecr 0,nop,wscale 7], length 0

So the problem seems to be on jita.

Mysteriously, if we send any packet on the reverse route from jita to
pootle (even a ping will work), from that moment on everything starts
working! It's really magic.

If you see this problem again, PLEASE DO NOT FIX IT WITH THE ABOVE
WORKAROUND!

My theory is that the current iptables rules are matching the 6to4
packets, and after some traffic travels in the opposite direction, the
stateful rule "RELATED,ESTABLISHED" lets everything pass through.

Here's what the firewall currently looks like:

jita:/etc/cron.daily# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  25M   14G ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
  845  202K ACCEPT     icmp --  any    any     anywhere             anywhere            
73352 4402K ACCEPT     all  --  lo     any     anywhere             anywhere            
 156K 9264K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http 
 3510  202K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:https 
 134K 8042K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
 7859  472K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:munin 
    1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:8139 
14796  885K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:git 
 3681  220K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:websm 
   73  4372 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:xmpp-bosh 
    6   360 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:xmpp-client 
44066 2671K ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:hpvirtgrp 
  225 13437 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:xmltec-xmlmail 
   81  4918 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:XmlIpcRegSvc 
 138K 9458K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 29M packets, 22G bytes)
 pkts bytes target     prot opt in     out     source               destination         

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/



More information about the Systems mailing list