# unable to get server publicly reached (ipv6 only, iptables)

## nocomprom1se

Hello dear community (first post here),

I'm struggling to get my homeserver-setup publicly available over IPv6 because i got no public IPv4 (DS-Lite).

Well i dont know if its the core of my problem, but my server wont accept the fwbuilder-generated iptables-rules without errors.

running the config:

```
# sh fwbuilder_config 

Activating firewall script generated Thu Dec 12 18:45:55 2013 by tds

Running prolog script

Verifying interfaces: eth0 lo

iptables: No chain/target/match by that name.

Rule 0 (eth0)

iptables: No chain/target/match by that name.

Rule 1 (lo)

Rule 2 (global)

iptables: No chain/target/match by that name.

Rule 3 (global)

Rule 4 (global)

iptables: No chain/target/match by that name.

Rule 5 (global)

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

Rule 6 (global)

Rule 7 (global)

iptables: No chain/target/match by that name.

Running epilog script
```

what iptables understood:

```
# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  192.168.178.23       anywhere             tcp dpt:ssh state NEW,ESTABLISHED

drop_invalid  all  --  anywhere             anywhere             state INVALID

In_RULE_0  all  --  localhost            localhost           

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable state NEW

ACCEPT     icmp --  anywhere             anywhere             icmptype 0 code 0 state NEW

ACCEPT     icmp --  anywhere             anywhere             icmp ttl-zero-during-transit state NEW

ACCEPT     icmp --  anywhere             anywhere             icmp ttl-zero-during-reassembly state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW

REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth reject-with icmp-host-unreachable

RULE_7     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             192.168.178.23       tcp spt:ssh state RELATED,ESTABLISHED

drop_invalid  all  --  anywhere             anywhere             state INVALID

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain state NEW

Chain In_RULE_0 (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain RULE_7 (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain drop_invalid (2 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere 
```

What iptables should get:

https://pastebin.com/4FsZhvTy

The Servers IP begins with "2a02:908:", do you know if this IP is considered public or is it a prefix associated with local IPs?

----------

## mtfj

hi, maybe start with ip6tables and ifconfig to see ipv6 address is actually assigned to your NIC?

----------

## Hu

That script is broken by design.  You should never use iptables to bulk load rules.  Always use iptables-restore, which can load the entire state atomically.

Similarly, you should never use iptables to produce output when requesting help.  Always use iptables-save, which prints the rules in an unambiguous form.

IPv6 is not handled by iptables.  For IPv6, use ip6tables.

You are probably missing one or more netfilter features required by that script.  You can find which ones by running the script with individual commands printed so that the failed commands will be interspersed with the error messages.

----------

