Join Log in
Score:-1
phonon112358 avatar Server

IPv6 not working on Debian 11 with nftables/nginx

us flag
phonon112358

I'm running a webserver (nginx 1.21.6) on a Debian 11 system with nftables 0.9.8. My nftables configuration is:

table inet filter {
chain input {
  type filter hook input priority filter; policy drop;
            ip saddr @spamhaus4 counter packets 0 bytes 0 drop
            ip6 saddr @spamhaus6 counter packets 0 bytes 0 drop
            meta l4proto tcp meta nfproto ipv4 ip saddr @abused counter packets 0 bytes 0 drop
            ip daddr 46.38.148.0-46.38.151.255 drop
            iif "lo" log group 2 accept
            iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            ct state established,related log group 2 accept
            ct state invalid counter packets 47 bytes 2572 drop
            tcp dport { 25, 80, 143, 443, 587, 2772, 9980, 45907 } log group 2 accept
            ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } log group 2 accept
            ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } log group 2 accept
            ip6 nexthdr ipv6-icmp log group 2 accept
            counter packets 2686 bytes 421604 drop
    }

    chain IPSinput {
            type filter hook input priority filter + 10; policy drop;
            counter packets 88448 bytes 15799025 queue num 0-3 bypass,fanout
    }

    chain forward {
            type filter hook forward priority filter; policy drop;
    }

    chain output {
            type filter hook output priority filter; policy accept;
    }

    chain IPSoutput {
            type filter hook output priority filter + 10; policy drop;
            counter packets 76196 bytes 201278628 queue num 0-3 bypass,fanout
    }
   }

The nftables firewall works fine.

However, my nginx server(s) are not reachable via IPv6. I have used different IPv6 checking tools (e.g., https://ipv6-test.com/validate.php) and also Qualys ssltest cannot access the server via IPv6, IPv4 is working fine however. I have included the listen [::]:80;(resp. listen [::]:443;directive in each of my nginx servers. And netstat -anlp |grep nginx gives

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 192.168.42.98:443       93.104.163.178:39001    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:39368    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:43086    VERBUNDEN   48847/nginx: worker
tcp6       0      0 :::80                   :::*                    LISTEN      48846/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160451   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160453   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160450   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160448   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160452   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160446   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160449   48846/nginx: master

On my router, I have activated IPv6 too.

Do anyone have any ideas where the issue could be?

89
0 + 0
in flag
Zoredache
If you run `tcpdump -n ip6` and attempt to connect via IPv6 do you see anything? Can you ping the host's IPv6 address?
0
Reply
djdomi avatar
za flag
djdomi
is the router located at your home?
0
Reply
A.B avatar
cl flag
A.B
IPSinput/IPSoutput is for testing right? nobody knows what happens there. Beside about ICMPv6 handling, check `man nft` at the part with the words "Caution when using ip6 nexthdr": if some ICMPv6 packets have additional headers, they get dropped with your current ruleset.
0
Reply
phonon112358 avatar
us flag
phonon112358
Thank you all for the comments! ;) These helped me very much in troubleshooting!
0
Reply
Score:0
phonon112358 avatar Server
us flag
phonon112358

Thanks to @Zoredache's comment to my question, I have tried to ping my host's IPv6 address. It only worked inside my home network. When I tried to ping it via subnetOnline or another site, it didn't work.

I then found this answer in unix.stackoverflow.com: https://unix.stackexchange.com/a/443380/520989 . I edited the /etc/dhcpcd.conf file and replaced slaac privatewith slaac hwaddr. Making my router (Fritzbox 7583) forgetting about the previous configuration and rebooting my server, did indeed solve my problem! My server is now completely reachable via IPv6 (also nginx)!

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.