I'm trying to setup an IPv6 web-server on CentOS 7.2 with NGINX. I have tested my IPv6 connectivity outgoing and incoming - everything works. My IP, AAAA records, etc as fine as well. Essentially everything is OK until I enable FirewallD.
I have it set up to default to the drop zone with eth0 interface. I have enabled dhcpv6-client, http, https and ssh (ssh is on a custom port). When the firewall is enabled no IPv6 traffic can leave or enter the machine. Traceroute6 to anything (even the gateway) only goes to localhost. If I disable the firewall, it's all good.
I have no idea why this is happening. I couldn't find anything online in order to make FirewallD apply the same IPv4 config to the IPv6 traffic. I personally thought, it would do that automatically, as all of its commands are IP protocol agnostic.
Any help is much appreciated.
I ran into the same issue. After following the logic through the rules that firewalld puts in I found that the drop zone was blocking ipv6 icmp that is needed to find the ipv6 neighbors. There is a rule to allow all ipv6 icmp but firewalld puts it after the input zones which is where the drop rules go.
If you want to see this for yourself just look at the output from 'ip6tables -L -n -v'
So, a quick and dirty fix is to do this:
Firewalld puts the direct rules before the other input rules so that will happen before the drop rules. If you want to block things like ping you would also use a direct rule but you would need it before the rule above.
You would do something like:
The priorities will keep them in order.
After some fiddling around with a Vultr (IPv6 works perfectly) and Contabo (IPv6 wouldn't work with firewalld) instance, I found the following sysctl differences even after running Contabo's custom
enable_ipv6
script:Even though there are no such settings in
/etc/sysctl.conf
,/etc/sysctl.d
,/usr/lib/sysctl.d
,/run/sysctl.d
, or anywhere else. So it must be some weird hack deep, deep inside.Imo it can't be firewalld differences, because this happens even after a clean install, so there's no rules at all. Listing all zones won't show anything weird either.
Anyhow, after putting the above 3 lines into
/etc/sysctl.d/10-ipv6.conf
(name it any way you want), and rebooting, everything started working as expected.And no, don't ask me why IPv6 works with
net.ipv6.conf.all.disable_ipv6 = 1
and firewalld turned off, it makes no sense whatsoever.