@jimb - many thanks for your reply!
Hey, I never knew that crontab shortcut. How long have I been writing it longhand? About 20 years... *facepalm*
Well it's
relatively new ... I'm not really sure when those "shortcuts" came into play, but "back in the day" you had to do it the way you did it. Might have been with the advent of Vixie cron, whenever that was.
This is an Internet-facing box with an iptables firewall (no NAT.) I Googled for iptables and 6in4 and - surprise surprise - was directed to another of your posts:
http://www.tunnelbroker.net/forums/index.php?topic=816.0Just trying to figure out how that fits into my (non-NAT) scheme of things. Given $ipv4_tunnel_end_point, $my_ipv4_address, what would the rule look like to keep the channel open?
For the record, I ran an IPv6 portscan on my box, when operational, and the services that normally show for IPv4 also show up for IPv6 (which is what I want - I just want all current services running dual-stack.)
No NAT makes it simple. You just need to put a rule in which allows 6in4 traffic, like:
iptables -A INPUT --proto 41 --source <HE tunnel server> --jump ACCEPTThat would allow IPv4 proto 41 (6in4) from the HE tunnel server to be accepted permanently by the tunnel router.
If you're running some firewall script or bundled firewall system which controls netfilter/iptables, you may want to make sure that the outbound rules (OUTPUT chain) allow protocol 41 too (typically they're set to allow anything inside -> outside though).
Firewall stuff from IPv6 itself is done with ip6tables of course. So, you just need to make the ip6tables security policy mirror the iptables policy to implement what you want (like security policy for IPv4/IPv6).
