View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions ip6tables doesn't filter correctly?
Log in to Ask a Question

ip6tables doesn't filter correctly?

networking

I have a simple iptables script that I use for all of my servers, since I rolled out ipv6 recently, I wanted to use the same script (except use ip6tables, instead of iptables).

Here is my script:

/sbin/ip6tables –flush

/sbin/ip6tables -A INPUT -p icmp -j ACCEPT

/sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT

/sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/ip6tables -A INPUT -j LOG --log-level 4

/sbin/ip6tables -A INPUT -j DROP

Pretty simple, it accepts icmp. 80, 443, established and then drops the rest. This script is the exact same for ipv4 traffic and works fine.

When I run this script, I can't reach my ipv6 box at all, not via 80, icmp, nothing. It also can't ping out (via v6), which makes no sense.

This is what appears in messages (due to the iptables log rule)

Jun 8 20:12:30 www01 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx SRC=xx:xx:xx:xx:xx:xx:xx DST=xx:xx:xx:xx:xx:xx:xx:xx LEN=72 TC=224 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0

Anyone run into this before? It happens on all of my v6 linodes…

6 Replies

@optize:

/sbin/ip6tables -A INPUT -p icmp -j ACCEPT

icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well.

It looks like ip6tables had a script running upon boot up that was conflicting with my script.

chkconfig ip6tables off; reboot fixed the issue.

Thanks!

@retrograde inversion:

@optize:

/sbin/ip6tables -A INPUT -p icmp -j ACCEPT

icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well.

I was also having trouble with this and the icmpv6 worked for me. I was even having trouble getting Apache to work under IPv6 until I did this.

Unfortunately, I don't really want everyone to be able to ping my server on IPv6, but the following iptables config doesn't allow anything to connect to anywhere:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PINGSAPPROVED  icmpv6     any    any     anywhere             anywhere
  190 15816 SPAMLIST   all      any    any     anywhere             anywhere
   23  3360 ACCEPT     all      any    any     anywhere             anywhere            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:www
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:https
  167 12456 LOGNDROP   all      any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SPAMLIST   all      any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 79 packets, 7608 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmpv6     any    any     anywhere             anywhere
  113 10656 SPAMLIST   all      any    any     anywhere             anywhere

Chain LOGNDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-TCP: '
    0     0 LOG        udp      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-UDP: '
    0     0 LOG        icmpv6     any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-ICMP: '
  167 12456 DROP       all      any    any     anywhere             anywhere

Chain PINGSAPPROVED (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      any    any     anywhere             anywhere

Chain SPAMLIST (3 references)
 pkts bytes target     prot opt in     out     source               destination
  303 26472 RETURN     all      any    any     anywhere             anywhere

Chain SPAMLND (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all      any    any     anywhere             anywhere            limit: avg 6/min burst 5 LOG level debug prefix `SPAMLIST: '
    0     0 DROP       all      any    any     anywhere             anywhere

This mirrors a similar IPv4 iptables setup, but I can't even ping6 out to ipv6.google.com with the above. If I add a "-A INPUT -p icmpv6 -j ACCEPT" then it works fine. Also, http://ipv6-test.com/validate.php doesn't work with the above, but it works with a full-accept icmp ruleset.

I thought that the "ctstate RELATED,ESTABLISHED" accept line would allow me to ping6 out to anywhere, but it does not.

I'm confused, as well, as to why that validate ipv6 link doesn't see Apache unless I have full ICMPv6 ACCEPT rules in and out?

Am I doing it wrong?

Moreover: Do I really need to block ICMP or ICMPv6 on either iptables or ip6tables or is that just a useless security practice?

You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not.

See http://forum.linode.com/viewtopic.php?p=39840#39840 for a prior discussion.

BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing.

I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 there are more types, as above, that are crucial to proper operation, especially in an auto-configuration environment. And yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel having to keep them on. Nor am I quite sure how much more protected the Xen setup may be in contrast to dedicated hardware on a shared segment.

– David

@db3l:

You can choose not to accept echo requests, but you still need the various ICMPv6 types related to router/neighbor announcement, autoconfiguration and and what not.

See http://forum.linode.com/viewtopic.php?p=39840#39840 for a prior discussion.

BTW, to your question as to whether it's needed, I never turn off ICMP echo on my nodes - it's just too helpful for monitoring and quick testing.

I don't really see the need to accept most other IPv4 ICMP types, but with IPv6 they're much more critical (and yes, BTW, a possible vector for problems on an unprotected network segment, for which I haven't really formed a conclusion about how bad I feel leaving them on).

– David

Thanks for that; I think I'll leave all the icmp on for ipv6 for now or perhaps try those rules you posted. I'm pretty sure that I'm more secure than my little server needs to be anyways. I will also probably turn echo on for my ipv4 setup now because I do sometimes need to use it and I can always keep the other icmp disabled.

Thanks again!

Here are those rules in a format for use with ip6tables-apply (of course don't forget to add your own rules to it before application and save a backup copy of your ip6tables with "ip6tables-save > FILENAME"):

:ICMPv6 - [0:0]
# Approve certain ICMPv6 types and all outgoing ICMPv6
# http://forum.linode.com/viewtopic.php?p=39840#39840
-A INPUT -p icmpv6 -j ICMPv6
-A ICMPv6 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type redirect -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 141 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 142 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 148 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 149 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 151 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 152 -s fe80::/10 -j ACCEPT
-A ICMPv6 -p icmpv6 --icmpv6-type 153 -s fe80::/10 -j ACCEPT
-A ICMPv6 -j RETURN
-A OUTPUT -p icmpv6 -j ACCEPT

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct