Voici les infos demandées :
ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCAL_HOOK
-N VYATTA_FW_OUT_HOOK
-N VYATTA_POST_FW_FWD_HOOK
-N VYATTA_POST_FW_IN_HOOK
-N VYATTA_POST_FW_OUT_HOOK
-N WANv6_IN
-N wan_local-6
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_FW_IN_HOOK -i eth0 -j WANv6_IN
-A VYATTA_FW_LOCAL_HOOK -i eth0 -j wan_local-6
-A VYATTA_FW_OUT_HOOK -o switch0 -j wan_local-6
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A WANv6_IN -m comment --comment WANv6_IN-10 -m state --state RELATED,ESTABLISHED -j RETURN
-A WANv6_IN -m comment --comment WANv6_IN-20 -m state --state INVALID -j DROP
-A WANv6_IN -p ipv6-icmp -m comment --comment WANv6_IN-25 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-30 -m set --match-set SSH-clients-IPv6 src -m tcp --dport 22 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-40 -m set --match-set Xymon-clients-IPv6 src -m tcp --dport 1984 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-42 -m set --match-set Lognes-IPv6 src -m tcp --dport 1984 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-50 -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-60 -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p udp -m comment --comment WANv6_IN-60 -m state --state NEW,ESTABLISHED -m udp --dport 53 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-70 -m multiport --dports 110,143,993,995 -j REJECT --reject-with icmp6-port-unreachable
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-80 -m multiport --dports 25,465,587 -j RETURN
-A WANv6_IN -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment WANv6_IN-90 -m tcp --dport 32400 -j RETURN
-A WANv6_IN -m comment --comment "WANv6_IN-10000 default-action drop" -j LOG --log-prefix "[WANv6_IN-default-D]"
-A WANv6_IN -m comment --comment "WANv6_IN-10000 default-action drop" -j DROP
-A wan_local-6 -m comment --comment wan_local-6-10 -m state --state RELATED,ESTABLISHED -j RETURN
-A wan_local-6 -p udp -m comment --comment wan_local-6-15 -m udp --sport 547 --dport 546 -j RETURN
-A wan_local-6 -m comment --comment wan_local-6-20 -m state --state INVALID -j DROP
-A wan_local-6 -p ipv6-icmp -m comment --comment wan_local-6-25 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-30 -m set --match-set SSH-clients-IPv6 src -m tcp --dport 22 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-40 -m set --match-set Xymon-clients-IPv6 src -m tcp --dport 1984 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-42 -m set --match-set Lognes-IPv6 src -m tcp --dport 1984 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-50 -m state --state NEW,ESTABLISHED -m multiport --dports 80,443 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-60 -m tcp --dport 53 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p udp -m comment --comment wan_local-6-60 -m udp --dport 53 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-70 -m multiport --dports 110,143,993,995 -j REJECT --reject-with icmp6-port-unreachable
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-80 -m multiport --dports 25,465,587 -j RETURN
-A wan_local-6 -d 2a01:e0a:348:bda0:1337::2/128 -p tcp -m comment --comment wan_local-6-90 -m tcp --dport 32400 -j RETURN
-A wan_local-6 -m comment --comment "wan_local-6-10000 default-action drop" -j LOG --log-prefix "[wan_local-6-default-D]"
-A wan_local-6 -m comment --comment "wan_local-6-10000 default-action drop" -j DROP
ip6tables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
256K 18M VYATTA_FW_LOCAL_HOOK all * * ::/0 ::/0
255K 18M VYATTA_POST_FW_IN_HOOK all * * ::/0 ::/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15M 6016M VYATTA_FW_IN_HOOK all * * ::/0 ::/0
15M 6008M VYATTA_FW_OUT_HOOK all * * ::/0 ::/0
15M 6008M VYATTA_POST_FW_FWD_HOOK all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
433K 44M VYATTA_POST_FW_OUT_HOOK all * * ::/0 ::/0
Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
7723K 4199M WANv6_IN all eth0 * ::/0 ::/0
Chain VYATTA_FW_LOCAL_HOOK (1 references)
pkts bytes target prot opt in out source destination
47182 3261K wan_local-6 all eth0 * ::/0 ::/0
Chain VYATTA_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
7589K 4184M wan_local-6 all * switch0 ::/0 ::/0
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
pkts bytes target prot opt in out source destination
15M 6008M ACCEPT all * * ::/0 ::/0
Chain VYATTA_POST_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
255K 18M ACCEPT all * * ::/0 ::/0
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
pkts bytes target prot opt in out source destination
433K 44M ACCEPT all * * ::/0 ::/0
Chain WANv6_IN (1 references)
pkts bytes target prot opt in out source destination
7452K 4177M RETURN all * * ::/0 ::/0 /* WANv6_IN-10 */ state RELATED,ESTABLISHED
317 22449 DROP all * * ::/0 ::/0 /* WANv6_IN-20 */ state INVALID
779 53290 RETURN icmpv6 * * ::/0 ::/0 /* WANv6_IN-25 */
19800 1584K RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-30 */ match-set SSH-clients-IPv6 src tcp dpt:22
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-40 */ match-set Xymon-clients-IPv6 src tcp dpt:1984
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-42 */ match-set Lognes-IPv6 src tcp dpt:1984
3188 263K RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-50 */ state NEW,ESTABLISHED multiport dports 80,443
68 5164 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-60 */ state NEW,ESTABLISHED tcp dpt:53
136K 12M RETURN udp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-60 */ state NEW,ESTABLISHED udp dpt:53
15 960 REJECT tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-70 */ multiport dports 110,143,993,995 reject-with icmp6-port-unreachable
21 1428 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-80 */ multiport dports 25,465,587
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* WANv6_IN-90 */ tcp dpt:32400
13068 914K LOG all * * ::/0 ::/0 /* WANv6_IN-10000 default-action drop */ LOG flags 0 level 4 prefix "[WANv6_IN-default-D]"
13068 914K DROP all * * ::/0 ::/0 /* WANv6_IN-10000 default-action drop */
Chain wan_local-6 (2 references)
pkts bytes target prot opt in out source destination
7430K 4170M RETURN all * * ::/0 ::/0 /* wan_local-6-10 */ state RELATED,ESTABLISHED
0 0 RETURN udp * * ::/0 ::/0 /* wan_local-6-15 */ udp spt:547 dpt:546
0 0 DROP all * * ::/0 ::/0 /* wan_local-6-20 */ state INVALID
47367 3275K RETURN icmpv6 * * ::/0 ::/0 /* wan_local-6-25 */
19467 1557K RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-30 */ match-set SSH-clients-IPv6 src tcp dpt:22
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-40 */ match-set Xymon-clients-IPv6 src tcp dpt:1984
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-42 */ match-set Lognes-IPv6 src tcp dpt:1984
3189 263K RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-50 */ state NEW,ESTABLISHED multiport dports 80,443
63 4804 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-60 */ tcp dpt:53
135K 12M RETURN udp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-60 */ udp dpt:53
0 0 REJECT tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-70 */ multiport dports 110,143,993,995 reject-with icmp6-port-unreachable
21 1428 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-80 */ multiport dports 25,465,587
0 0 RETURN tcp * * ::/0 2a01:e0a:348:bda0:1337::2 /* wan_local-6-90 */ tcp dpt:32400
586 39086 LOG all * * ::/0 ::/0 /* wan_local-6-10000 default-action drop */ LOG flags 0 level 4 prefix "[wan_local-6-default-D]"
586 39086 DROP all * * ::/0 ::/0 /* wan_local-6-10000 default-action drop */
Malgré le reset du firewall, pas de changement.
La capture réseau donne ça :
sudo tcpdump -i eth0 "icmp6 && (ip6[40] == 128 || ip6[40] == 129)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:09:15.358054 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 1, length 64
17:09:16.366504 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 2, length 64
17:09:17.390532 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 3, length 64
17:09:18.414420 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 4, length 64
17:09:19.438550 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 5, length 64
17:09:20.462391 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 6, length 64
17:09:21.486417 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 7, length 64
17:09:22.510384 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 8, length 64
17:09:23.534501 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 9, length 64
17:09:24.558418 IP6 2a01:e0a:348:bda0::1 > par10s21-in-x03.1e100.net: ICMP6, echo request, seq 10, length 64
^C
10 packets captured
20 packets received by filter
0 packets dropped by kernel
On voit bien les paquets partir, mais pas arriver...