Subj : "portproxy" in linux
To   : Markus Reschke
From : Tommi Koivula
Date : Sat Sep 26 2015 17:33:34

26 Sep 15 15:57, you wrote to me:

 TK>> Now I have a problem with the IPv6 firewall. It always blocks the
 TK>> inbound traffic from the tunnel even if I allowed port 24554 from
 TK>> the GUI of AsusWRT. From the router the forwarding works, (telnet
 TK>> 2001:470:27:a::2 24554) .

 MR> If possible, please enable firewall logging and check the log entries
 MR> for IPv6 binkp. When you find drop/reject messages for binkp, then the
 MR> next step is to evaluate the firewall rules. If you're lucky the log
 MR> entries include the chain's name. That's based on how the rule sets
 MR> are designed.

One log line of dropped inbound binkp:

Sep 26 18:33:16 kernel: DROP  <4>DROP IN=v6in4 OUT= MAC=00:e6:ba:a0:11:11:00:03:fa:56:9b:ac:08:00:45:00:00:5c:cf:d4:40:00:fa:29:c9:6 0:d8:42:50:5a:5b:9b:63:0b:60:00:00:00 TUNNEL=216.66.80.90->91.155.99.11 <1>SRC=2001:0470:1f15:0cb0:0000:0000:0000:0004 DST=2001:0470:0027:000a:0000:0000:0000:0002 <1>LEN=72 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP <1>SPT=57521 DPT=24554 SEQ=457283060 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058C0103030801010402)

91.155.99.11 is my routers ipv4 address,
216.66.80.90 is the endpoint of the HE tunnel.
2001:0470:1f15:0cb0:0000:0000:0000:0004 is where from I tried to access binkd at 2001:0470:0027:000a:0000:0000:0000:0002

Here's the output of ip6tables-save:

=== Cut ===
# Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
*mangle
:PREROUTING ACCEPT [13580:2593451]
:INPUT ACCEPT [10638:2352811]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14587:1570620]
:POSTROUTING ACCEPT [14587:1570620]
-A PREROUTING -d ff02::1:ff00:0/104 -i vlan2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A PREROUTING -d ff02::1:ff00:0/104 -i vlan3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A FORWARD -m state --state NEW -j SKIPLOG
COMMIT
# Completed on Sat Sep 26 18:41:06 2015
# Generated by ip6tables-save v1.3.8 on Sat Sep 26 18:41:06 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12616:1430065]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o v6in4 -j ACCEPT
-A FORWARD -i br0 -o v6in4 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -d 2001:470:27:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
-A FORWARD -d 2001:470:28:a::/64 -p tcp -m state --state NEW -m tcp --dport 24554 -j ACCEPT
-A FORWARD -i v6in4 -o br0 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -m rt --rt-type 0 -j logdrop
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sat Sep 26 18:41:06 2015
=== Cut ===

'Tommi

---
 * Origin: ====================================== (2:221/1.1)

.