xSphere
By:
xSphere

iptables blocking ipv6 traffic after security & kernel upgrade

September 26, 2015 1.5k views
Firewall IPv6 Ubuntu

I have an Ubuntu 14.04 droplet with ipv6 enabled that's been running fine for several months on kernel 3.13.0-43-generic.

I decided to update to get latest security fixes so I ran

# apt-get update && apt-get upgrade

A handful of packages were kept back so I did a

# apt-get dist-upgrade

All looked fine: packages upgraded and kernel upgraded to 3.13.0-63-generic
I powered off, selected new kernel from the web UI and powered on.

Now, when the droplet comes up, ipv6 connectivity is fine for about a minute or so. Then it stops being able to ping the gateway (but can still ping itself):

# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=1 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=2 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=3 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=4 Destination unreachable: Address unreachable

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3014ms

ipv4 pings look fine:

# ping -c 30 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=2.47 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=1.87 ms
...

I think I've narrowed the cause down to iptables: if I flush the rules and allow all incoming traffic I can ping the gateway again:

# ip6tables -F
# ip6tables -P INPUT ACCEPT
# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=1 ttl=64 time=5.23 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=2 ttl=64 time=0.986 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=3 ttl=64 time=2.58 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=4 ttl=64 time=3.81 ms

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.986/3.153/5.230/1.564 ms

My /etc/iptables/rules.v6 is:

# Generated by ip6tables-save v1.4.21 on Mon Mar  9 09:54:32 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT
-A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8041 -j ACCEPT
COMMIT
# Completed on Mon Mar  9 09:54:32 2015

I suspect the rate-limit has something to do with it, but that's only supposed to affect ssh (on port 2222). Can anyone spot the issue here?

1 Answer

You will need a rule to allow ICMP packets.

-A INPUT -p icmpv6 -j ACCEPT

Then another rule to allow link local addresses

-A INPUT -s fe80::/10 -j ACCEPT

IPV6 requires icmp packets to pass to work properly as IPV6 uses ICMP to resolve the link local addresses. The link local addresses are how hosts on the same ethernet segment actually pass traffic to each other. IPV6 works a bit differently to discover MAC addresses on the LAN. Without these rules, you will be doing the equivilent of blocking ARP on IPV4.

Have another answer? Share your knowledge.