Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Solved] ip6tables copied form iptables => add INPUT -p ipv6-icmp -j ACCEPT

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
emontheaud
Posts: 2
Joined: 2023-03-27 21:56

[Solved] ip6tables copied form iptables => add INPUT -p ipv6-icmp -j ACCEPT

#1 Post by emontheaud »

Hello all,

I have to use IPv6 to access my debian 10 server using SSH.

Here is the current output of iptables-save, which works still well in IPv4

Code: Select all

# Generated by iptables-save v1.6.0 on Wed Apr  1 15:00:13 2020
*filter
:INPUT DROP [125:9610]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [511:77841]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Apr  1 15:00:13 2020
I try to do something similar with ip6tables, just by copying them. Here is the output of ip6tables-save

Code: Select all

# Generated by xtables-save v1.8.2 on Mon Mar 27 21:11:49 2023
*filter
:INPUT DROP [125:9610]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [511:77841]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Mar 27 21:11:49 2023
When I restore the ip6tables configuration with ip6tables-restore
- new incoming ssh connections are not possible
- already active ssh connections work for ~10 secconds, then are freezed, until I run iptables -P INPUT ACCEPT

Obviously, ESTABLISHED connections are not accepted in IPv6.

Do you folks have any idea why ?

Thanks
Last edited by emontheaud on 2023-03-27 22:26, edited 1 time in total.

emontheaud
Posts: 2
Joined: 2023-03-27 21:56

Re: ip6tables copied form iptables

#2 Post by emontheaud »

Well, I've finally found the solution.

ICMPv6 has to be accepted in the INPUT chain. This works as intended :

Code: Select all

# Generated by xtables-save v1.8.2 on Mon Mar 27 22:23:13 2023
*filter
:INPUT DROP [394:33816]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1121:205310]
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Mar 27 22:23:13 2023
See also https://serverfault.com/questions/66759 ... of-packets
and https://serverfault.com/questions/41032 ... p-for-ipv6

Aki
Global Moderator
Global Moderator
Posts: 2823
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 69 times
Been thanked: 385 times

Re: [Solved] ip6tables copied form iptables => add INPUT -p ipv6-icmp -j ACCEPT

#3 Post by Aki »

Hello,
Thanks for updating the thread and for sharing the solution in the interest of other forum users.
Happy Debian & happy hacking.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Post Reply