I have problem with my iptables setup. I want to have completely dual stacked server so I use same rules for IPv4 and IPv6. However all IPv6 connections are just being dropped while IPv4 are working without any problem.
Here are all files I use to populate firewall rules: here - First file is the script I run, second contains common (shared) rules for IPv4 and IPv6 and third and forth are files containing specific rules for IPv4 and IPv6.
I want to point out that everything works perfectly on IPv4.
Problem isn't just with the services like FTP but I can't even ping the server (tested from many computers on many different networks).
Just for you to be sure, this is output of command iptables -L -n -v
:
Chain INPUT (policy DROP 511 packets, 79527 bytes)
pkts bytes target prot opt in out source destination
1765 739K ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0
43146 1980K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x10/0x10
180 26305 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
138 8300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 20,21,25,80,443,465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:50000:50500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11171 packets, 65M bytes)
pkts bytes target prot opt in out source destination
and this is the output of command ip6tables -L -n -v
:
Chain INPUT (policy DROP 32 packets, 3076 bytes)
pkts bytes target prot opt in out source destination
8 832 ACCEPT all !eth0 * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0 tcpflags: 0x10/0x10
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp * * ::/0 ::/0 tcp multiport dports 20,21,25,80,443,465
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:50000:50500
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:1194
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Ouput of iptables-save
:
*filter
:INPUT DROP [93:13846]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4788:4752203]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,443,465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50000:50500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
COMMIT
Output of ip6tables-save
:
*filter
:INPUT DROP [6:778]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 20,21,25,80,443,465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50000:50500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT
If I try to ping the server over IPv6 (ping -6 2a02:2b88:2:1::2498:1
) then I get Request timed out
. If I try to ping it on the server (over SSH), then It ping's without any problem:
ping6 2a02:2b88:2:1::2498:1
--> 64 bytes from 2a02:2b88:2:1::2498:1: icmp_seq=1 ttl=64 time=0.034 ms
OR
ping6 localhost
--> 64 bytes from localhost: icmp_seq=1 ttl=64 time=0.031 ms
I also forgot to mention that if I change whole INPUT chain to ACCEPT then everything works. Of course this is unfortunately not an option ...
The problem was in the end really in the ICMP packets. To be precise, I didn't know that IPv6 doesn't use ARP and some other services anymore - it uses it's own mechanisms. To do so it needs many ICMPv6 packets to pass. After enabling everything works as expected.
I came to this solution by trying to just enable ALL ICMPv6 packets - everything worked. So I looked up some guides and figured out what ICMPv6 packets needs to be enabled.
I would like to recommend this rules set: https://gist.github.com/jirutka/3742890
I based my firewall settings on them and I will in the future from now on.