0

On system A I'm using ip6tables and I'm DROPing INPUT packets coming from system B through IPv6.

As expected, when system B uses ping6 to system A, it sees destination unreachable.

However, when on system A I also DROP OUTPUT destination-unreachable icmpv6 packets is it normal that system B still sees destination unreachable? Should system B see some other message instead?

Adelin
  • 109
  • 10
  • Without the `ip6tables` rules, can you ping system A from system B? A drop rule shouldn't be generating an ICMP response. Are the two systems on the same link? – Torin Oct 29 '18 at 12:27
  • Before you attempt to firewall ICMPv6, be sure you have read and fully understood [RFC 4890](https://tools.ietf.org/html/rfc4890). The network you don't break may be your own. – Michael Hampton Oct 29 '18 at 13:21

2 Answers2

0

No, (as far as I understand your question.) If you on System A add a "DROP OUTPUT destination-unreachable", you would just make the response to an outgoing ping silent on SYSTEM A.

If you would like to change the behaviour on the output of the ping from SystemB to SYSTEM A, then you should do the modification on SYSTEMB ip6table.

Ingvar J
  • 511
  • 2
  • 7
0

This is how I test:( and how I understand your case)

  • ping from serverB to serverA :-> reply received

  • Add rule in serverA

    iptables -I INPUT -s serverB -p icmp -j REJECT

  • Ping from serverB to serverA now results in "Request timeout... Destination port Unreachable

If I instead change the iptables rule as follows:

iptables -I INPUT -s serverB -p icmp -j DROP

the ping from serverB to serverA wil look as Request timeout for icmp_seq 1 i.e. no "destination port unreachable" Is this the result You are looking for?

Ingvar J
  • 511
  • 2
  • 7