Join Log in
Score:1
Darwick avatar Server

ip6tables state does not allow http connection outside LAN

sc flag
Darwick

I have a Debian 11 machine acting as a router (machine A) for IPv6 with WAN (bond0) and LAN (bond1) interface and another Debian 11 machine (machine B) connected to its LAN interface. This setup works correctly as expected, until I setup the firewall rules in machine A:

ip6tables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
ip6tables -P FORWARD DROP

After this setup, from machine B the ping works, but nothing else, for an example http connection is not:

--2022-11-20 18:25:05--  http://[2a02:16a8:dc41:100::132]/
Connecting to [2a02:16a8:dc41:100::132]:80... connected.
HTTP request sent, awaiting response...

As soon as I change back the default policy to accept:

ip6tables -P FORWARD ACCEPT

everything is working again, the mentioned connection also. So I guess the error is not on the networking setup, but maybe a lack of firewall rule. The input and output default policy is accept without any rule in machine A:

Chain INPUT (policy ACCEPT 52117 packets, 7950K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 32646 packets, 2259K bytes)
 pkts bytes target     prot opt in     out     source               destination

so I guess there is no problem on that part. Machine B don't have any rules set. What am I missing for this to get it working?

UPDATE:

After appending firewall rule ip6tables -A FORWARD -j LOG to the end of the filter rules, I get this messages in /var/log/kern.log

Nov 20 19:08:11 machineA kernel: [64351.126036] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:11 machineA kernel: [64351.126186] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:11 machineA kernel: [64351.343310] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:11 machineA kernel: [64351.563328] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=918248 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:12 machineA kernel: [64352.007316] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=983152 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:12 machineA kernel: [64352.139854] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=983152 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:13 machineA kernel: [64352.903316] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:13 machineA kernel: [64352.911487] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK FIN URGP=0
Nov 20 19:08:14 machineA kernel: [64354.159965] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:14 machineA kernel: [64354.663292] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=128197 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:18 machineA kernel: [64358.247272] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=83931 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:18 machineA kernel: [64358.347769] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=83931 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:25 machineA kernel: [64365.415153] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=504998 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:26 machineA kernel: [64366.539630] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=504998 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:39 machineA kernel: [64379.494991] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=546713 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:42 machineA kernel: [64382.667434] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=546713 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:09:09 machineA kernel: [64409.190482] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=39670 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
54
1 + 3
A. Darwin avatar
my flag
A. Darwin
Can you add a logging rule (-j LOG) before the final DROP and see what happens?
0
Reply
Darwick avatar
sc flag
Darwick
Added as requested
0
Reply
Tom Yan avatar
in flag
Tom Yan
Can you dump `ip6tables-save` instead?
0
Reply
Score:0
Darwick avatar Server
sc flag
Darwick

Looks like the problem was in the routing itself. Based on the log file and ip6tables counters, it revealed me that some packets don't going through the forward chain. After a traceroute on both source and destination sides, it revealed me that the packets from machine B going through machine A but packets to machine B is bypassing somehow. As soon as my provider fixed this routing issue, all packets from and to machine B is going through the FORWARD chain and it is working as expected.

Just an FYI if somebody want to build a "nat like" IPv6 firewall. Accepting established and related states are not enough, also need to add new state from LAN to WAN interface. The complete command looks like this:

ip6tables -A FORWARD -i <lan int> -o <wan int> -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -P FORWARD DROP
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.