# [SOLVED] Firewall kills IPv6 traffic

## NP_complete

On my laptop, I get

 *Quote:*   

> $ ping6 google.com
> 
> connect: Network is unreachable

 

Disabling the IPv6 side of the firewall makes the problem go away.  I use the following rules (see below) which are identical (with obvious corrections) to IPv4.  Bizarrely, they work for IPv4 but not for IPv6.  I can't wrap my brain around this.

 *Quote:*   

> # ip6tables -L -n
> 
> Chain INPUT (policy DROP)
> 
> target     prot opt source               destination         
> ...

 

The above rules were generated by

```
*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

:TCP - [0:0]

:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ACCEPT

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

-A INPUT -p tcp -j REJECT --reject-with tcp-reset

-A INPUT -j REJECT --reject-with icmp6-port-unreachable

COMMIT

```

Many thanks.Last edited by NP_complete on Thu Nov 06, 2014 2:09 pm; edited 2 times in total

----------

## py-ro

Your default policy for FORWARD is DROP and you have no other rules in there, so no traffic is allowed to be routed.

EDIT: NVM did not realize this are the rules on the notebook

----------

## NP_complete

Solved it!  IPv6 differs from IPv4 in the way it uses ICMP.  In my particular case, allowing all incoming ICMPv6 traffic took care of things:

```
-A INPUT -p icmpv6 -j ACCEPT
```

----------

## charles17

Even for ip6tables you could specify the certain icmpv6-types:

https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules_for_client

----------

## NP_complete

charles17,

I've seen the code you linked to.  But it doesn't work, as far as IPv6 goes, and IPv4 works fine.  Go figure...

 *Quote:*   

> $ ip6tables -L -nv
> 
> Chain INPUT (policy DROP 223 packets, 16200 bytes)
> 
>  pkts bytes target     prot opt in     out     source               destination         
> ...

 

 *Quote:*   

> $ ip6tables-save
> 
> # Generated by ip6tables-save v1.4.21 on Thu Nov  6 08:58:47 2014
> 
> *mangle
> ...

 

----------

## skaloo

IPv6 auto-configuration uses ICMP, as you found out. This is the way your router/ISP and your host agree on an IPv6 address. No ICMP -> no routable address -> can't talk to the world.

It's done using 'link-local' addresses, so you may restrict the allowed packets to the FE80::/10 network, if you want to be restrictive with the PINGs your host replies to.

```
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
```

If your linux also does routing, you need also that one:

```
ip6tables -A FORWARD -s fe80::/10 -p ipv6-icmp -j ACCEPT
```

----------

## NP_complete

skaloo, thanks!  I used the first rule only, of the two you suggested (because I don't do routing), and it worked!  For posterity: *Quote:*   

> # ip6tables-save

 

```
*mangle

:PREROUTING ACCEPT [2521:1799758]

:INPUT ACCEPT [2521:1799758]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1982:462517]

:POSTROUTING ACCEPT [1982:462517]

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [81:7085]

:TCP - [0:0]

:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

-A INPUT -p tcp -j REJECT --reject-with tcp-reset

COMMIT
```

PS  Someone in charge should fix the IPv6 portion of https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules_for_client

----------

## charles17

When the policy is DROP why should one need "-j DROP" some lines further down? *Quote:*   

> Code:	
> 
> *mangle
> 
> :PREROUTING ACCEPT [2521:1799758]
> ...

 

 *NP_complete wrote:*   

> PS  Someone in charge should fix the IPv6 portion of https://wiki.gentoo.org/wiki/Iptables#Generating_firewall_rules_for_client

 Everybody posting here is also in charge of doing so.  Feel free to improve Gentoo wiki.

----------

## skaloo

 *charles17 wrote:*   

> When the policy is DROP why should one need "-j DROP" some lines further down?

 

There are actualy a couple situations where people use this, most common being to drop ASAP some packets we really don't want the kernel to waste time on.

If the configuration has lots of complex/deep chains, dropping those 'INVALID' packets early on saves the kernel further processing.

On a purely conceptual point of view, though, you are right, the rule is not 'required'.

Another case would be to simplify/speed-up some complex situation, let's say we want to allow some packet family which contains (many) different sub-groups but explicilty drop *one* of these sub-groups. For instance we want to accept packets 'A', 'B', ..., 'Z' but specificaly not the 'D' packet. You'd have to write 25 accept rules. But you could also first write one rule that drops packets 'D', then one rule that accepts family 'alphabet', and you're done with only 2 rules. It's easier to configure/maintain and it's also faster to process in kernel, and it's even less memory used to store the rules.

----------

