Question

iptables blocking ipv6 traffic after security & kernel upgrade

I have an Ubuntu 14.04 droplet with ipv6 enabled that’s been running fine for several months on kernel 3.13.0-43-generic.

I decided to update to get latest security fixes so I ran

# apt-get update && apt-get upgrade

A handful of packages were kept back so I did a

# apt-get dist-upgrade

All looked fine: packages upgraded and kernel upgraded to 3.13.0-63-generic I powered off, selected new kernel from the web UI and powered on.

Now, when the droplet comes up, ipv6 connectivity is fine for about a minute or so. Then it stops being able to ping the gateway (but can still ping itself):

# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=1 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=2 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=3 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=4 Destination unreachable: Address unreachable

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3014ms

ipv4 pings look fine:

# ping -c 30 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=2.47 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=1.87 ms
...

I think I’ve narrowed the cause down to iptables: if I flush the rules and allow all incoming traffic I can ping the gateway again:

# ip6tables -F
# ip6tables -P INPUT ACCEPT
# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=1 ttl=64 time=5.23 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=2 ttl=64 time=0.986 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=3 ttl=64 time=2.58 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=4 ttl=64 time=3.81 ms

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.986/3.153/5.230/1.564 ms

My /etc/iptables/rules.v6 is:

# Generated by ip6tables-save v1.4.21 on Mon Mar  9 09:54:32 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT
-A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8041 -j ACCEPT
COMMIT
# Completed on Mon Mar  9 09:54:32 2015

I suspect the rate-limit has something to do with it, but that’s only supposed to affect ssh (on port 2222). Can anyone spot the issue here?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

You will need a rule to allow ICMP packets.

-A INPUT -p icmpv6 -j ACCEPT

Then another rule to allow link local addresses

-A INPUT -s fe80::/10 -j ACCEPT

IPV6 requires icmp packets to pass to work properly as IPV6 uses ICMP to resolve the link local addresses. The link local addresses are how hosts on the same ethernet segment actually pass traffic to each other. IPV6 works a bit differently to discover MAC addresses on the LAN. Without these rules, you will be doing the equivilent of blocking ARP on IPV4.

tried ping6 -c 4 2a03:b0c0:1:d0::1 but that shows an error PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes ping: sendmsg: Operation not permitted Any clues? could not find a relevant solution online.