Question
iptables blocking ipv6 traffic after security & kernel upgrade
I have an Ubuntu 14.04 droplet with ipv6 enabled that’s been running fine for several months on kernel 3.13.0-43-generic.
I decided to update to get latest security fixes so I ran
# apt-get update && apt-get upgrade
A handful of packages were kept back so I did a
# apt-get dist-upgrade
All looked fine: packages upgraded and kernel upgraded to 3.13.0-63-generic
I powered off, selected new kernel from the web UI and powered on.
Now, when the droplet comes up, ipv6 connectivity is fine for about a minute or so. Then it stops being able to ping the gateway (but can still ping itself):
# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=1 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=2 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=3 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=4 Destination unreachable: Address unreachable
--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3014ms
ipv4 pings look fine:
# ping -c 30 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=2.47 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=1.87 ms
...
I think I’ve narrowed the cause down to iptables: if I flush the rules and allow all incoming traffic I can ping the gateway again:
# ip6tables -F
# ip6tables -P INPUT ACCEPT
# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=1 ttl=64 time=5.23 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=2 ttl=64 time=0.986 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=3 ttl=64 time=2.58 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=4 ttl=64 time=3.81 ms
--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.986/3.153/5.230/1.564 ms
My /etc/iptables/rules.v6 is:
# Generated by ip6tables-save v1.4.21 on Mon Mar 9 09:54:32 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT
-A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8041 -j ACCEPT
COMMIT
# Completed on Mon Mar 9 09:54:32 2015
I suspect the rate-limit has something to do with it, but that’s only supposed to affect ssh (on port 2222). Can anyone spot the issue here?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×