I am using ip6tables to restrict connections to server.
I use ip6tables with "-m iprange –src-range %s-%s" to specify the hosts that are allowed to connect.
-
If I specify the range to 8000::0 – ffff::ffff, the result looks like this.
Chain ripp_0_0 (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0 source IP range 8000::-ffff::ffff -
If I specify the range to 0::0 – ffff::ffff, the result looks like this.
Chain ripp_0_0 (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0 source IP range ::-ffff::ffff
My client has link-local address fe80::e91b:befe:97dc:9df5.
For case 1, ip6tables work as expected, the connection is allowed.
For case 2, it should also be allowed, but connection is rejected.
What is the algorithm used by ip6tables to compare addresses.
Could someone please give some clue to pursue this issue.
Best regards.
Best Answer
Not sure about the ip6tables stuff, but ffff::ffff does not mean what you think it does. It expands to ffff:0000:0000:0000:0000:0000:0000:ffff. The range 0::0 to ffff::ffff will thus just fave zeroes in all the middle words I think. Try ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff if that is what you mean.
Or just use 8000::/1 and ::/0 if you want to say "half the address space" and "all the adress space". Understanding network masks is essential to your sanity when working with IPv6.