IPv6 Firewall Issues
Any help would be appreciated.
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport http
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport https
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport smtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssmtp
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport 587 # other smtp port
ip6tables -A INPUT -m state --state NEW -p udp -j ACCEPT --dport domain
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport domain
ip6tables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -m state --state NEW -p tcp -j ACCEPT --dport ssh
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j ACCEPT
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:443
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:25
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:465
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:587
0 0 ACCEPT udp * * ::/0 ::/0 state NEW udp dpt:53
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:53
0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
4 320 DROP all * * ::/0 ::/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0
root#
4 Replies
@jsr:
Any ideas why?
Are you sure your web server is listen on IPv6?
You could add a log line to your rules to see what is being dropped to help debug.
Note your iptables counters only show 4 packets dropped and no other hits on the other rules. I'm betting your services are not configured to listen on your IPv6 address.
–
Travis
The counters are pretty low, that is partly because I have been messing with it and the tables were flushed recently and partly because traffic is low since the main address does not have a DNS entry yet since I am still trying to get it working. I've updated the counters below, the 1 accepted packet on port 80 is from me just doing a telnet on the localhost.
I forgot about the log rules, I'll try adding that to see if it offers any additional clues.
root# netstat -an|grep tcp6
tcp6 0 0 :::587 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::465 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::25 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
root#
root# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 80 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:443
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:25
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:465
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:587
0 0 ACCEPT udp * * ::/0 ::/0 state NEW udp dpt:53
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:53
0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with tcp-reset
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
5 368 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
201 20808 DROP all * * ::/0 ::/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 448 ACCEPT all * * ::/0 ::/0
root#
Also, it looks like you are implicitly dropping ICMPv6 traffic. This will break multiple things (stateless auto-configuration, neighbor discovery, path MTU discovery, …). Accepting all ICMPv6 traffic should be pretty safe, although more research could find a subset that will do the trick.
(This suggests that you're blocking all ICMP traffic for IPv4 as well, which is unwise, although not as catastrophic -- neighbor discovery is its own control protocol (ARP), and PMTUD isn't totally necessary if fragmentation is allowed. Still, not a recommended practice.)
I'm usually pretty stingy on allowing ICMP packets because I used to see way too much ping flooding any other non-sense back in the day. I know ping flooding probably isn't even common anymore, but old habits die hard. I do allow some IPv4 ICMPs, but have rate limits on them. I hadn't gotten to the point of figuring out any acceptable rate limits (or risk) on ICMPv6, so I had just been dropping all of those packets.
Thanks guys!