v6 traffic not matching rules on Debian 6
zeip:~$ sudo ip6tables-save
# Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Jan 10 15:44:13 2013
# Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013
*raw
:PREROUTING ACCEPT [2918:225968]
:OUTPUT ACCEPT [78:6240]
COMMIT
# Completed on Thu Jan 10 15:44:13 2013
# Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013
*mangle
:PREROUTING ACCEPT [2918:225968]
:INPUT ACCEPT [2728:212288]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:6240]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jan 10 15:44:13 2013
# Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [78:6240]
:In_RULE_1 - [0:0]
:RULE_14 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443,22 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j RULE_14
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp -m multiport --dports 9418,80,443,22,43 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp -m multiport --dports 9418,123 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A In_RULE_1 -j LOG --log-prefix "RULE 1 -- DENY " --log-level 6
-A In_RULE_1 -j DROP
-A RULE_14 -j LOG --log-prefix "RULE 14 -- DENY " --log-level 6
-A RULE_14 -j DROP
COMMIT
# Completed on Thu Jan 10 15:44:13 2013
zeip:~$ sudo ip6tables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:8000 state NEW
0 0 ACCEPT tcp * * ::/0 ::/0 tcp multiport dports 80,443,22 state NEW
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 129 code 0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128 code 0
0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with icmp6-port-unreachable
2775 216K RULE_14 all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 78 packets, 6240 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53 state NEW
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:53 state NEW
0 0 ACCEPT tcp * * ::/0 ::/0 tcp multiport dports 9418,80,443,22,43 state NEW
0 0 ACCEPT udp * * ::/0 ::/0 udp multiport dports 9418,123 state NEW
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 state NEW
Chain In_RULE_1 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 6 prefix `RULE 1 -- DENY '
0 0 DROP all * * ::/0 ::/0
Chain RULE_14 (1 references)
pkts bytes target prot opt in out source destination
2775 216K LOG all * * ::/0 ::/0 LOG flags 0 level 6 prefix `RULE 14 -- DENY '
2775 216K DROP all * * ::/0 ::/0
When I remove the ip6tables config altogether, ping and all the other services work nicely. Any ideas?
1 Reply
This is one way to test this:
# ip6tables -I INPUT -p icmpv6 -j ACCEPT