ipv6 working but ip6tables not counting FORWARD packets and bytes (0 counters)

seccentral · 01-07-2016, 05:08 AM

Hello,

I'm on a centos 6.7 64bit box with stock kernel, ipv6 enabled configured and working.
I have a br0 configured for my virtual machines.
One of the virtual machines has ipv6 enabled and working: I can ping it from the internet and i can browse the internetv6 from within the virtual machine.
On the firewall however i see zero packets counted.
From the hypervisor : cat /etc/sysconfig/ip6tables snippet:

Quote:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A -d 2001:[MY_ADDR]/128
[0:0] -A -s 2001:[MY_ADDR]/128
COMMIT

Quote:

ip6tables -L -nvx

Quote:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all * * 2001:[MY_ADDR]/128 ::/0

Quote:

ping6 google.com
PING google.com(par03s14-in-x0e.1e100.net) 56 data bytes
64 bytes from par03s14-in-x0e.1e100.net: icmp_seq=1 ttl=58 time=4.31 ms
64 bytes from par03s14-in-x0e.1e100.net: icmp_seq=2 ttl=58 time=4.34 ms

nini09 · 01-07-2016, 02:36 PM

Does OUTPUT counter increase after doing ping6 google.com on this machine?

seccentral · 01-11-2016, 06:55 AM

nini09 · 01-12-2016, 02:44 PM

You don't have any real iptable rule.

seccentral · 01-13-2016, 04:02 AM

well, regardless, it should increase the chain packet count rght ?

nini09 · 01-13-2016, 03:07 PM

No, these counters are relative to particular rule. If no rule is hit, why counter increase?

wildwizard · 01-14-2016, 06:16 AM

If the firewall is the hyper-visor then I'm not surprised.

You've created a L2 connection between your VM's and the external network the host will not see L3 traffic from the VM's

If you want to use the hyper-visor's firewall like that then you should create host only links from the VM's so the traffic is forced through the hosts IP stack.