IPv6 Rules not added to ip6tables
Posted: 20 Jun 2022, 05:25
Hi,
I have been going blind on trying to debug why I cannot accept incoming connections on any services via IPv6, even though I can ping fine.
After checking the ip6tables configuration I noticed that the rules are not being added, well at least in Webmin. I am very confused, let me explain why:
- In Webmin -> Linux Firewall I can see all sort of rules being added which reflects what's in CSF
- In Webmin -> Linux IPv6 Firewall I can only see a couple rules added which explains why connections are being rejected
- If I manually check ip6tables -S the output does not match what's shown in Webmin, and if it was IPv6 would work (I assume)
Many thanks
I have been going blind on trying to debug why I cannot accept incoming connections on any services via IPv6, even though I can ping fine.
After checking the ip6tables configuration I noticed that the rules are not being added, well at least in Webmin. I am very confused, let me explain why:
- In Webmin -> Linux Firewall I can see all sort of rules being added which reflects what's in CSF
- In Webmin -> Linux IPv6 Firewall I can only see a couple rules added which explains why connections are being rejected
- If I manually check ip6tables -S the output does not match what's shown in Webmin, and if it was IPv6 would work (I assume)
Code: Select all
[root@ws1 ~]# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGDROPIN
-N LOGDROPOUT
-N DENYIN
-N DENYOUT
-N ALLOWIN
-N ALLOWOUT
-N LOCALINPUT
-N LOCALOUTPUT
-N INVDROP
-N INVALID
-N SMTPOUTPUT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1122 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 7080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8088 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 10000 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p ipv6-icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1122 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 7080 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8088 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 10000 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A LOGDROPIN -p tcp -m tcp --dport 23 -j DROP
-A LOGDROPIN -p udp -m udp --dport 23 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP6IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP6IN Blocked* "
-A LOGDROPIN -p ipv6-icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP6IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP6OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP6OUT Blocked* " --log-uid
-A LOGDROPOUT -p ipv6-icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP6OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp6-port-unreachable
-A DENYIN -m set --match-set chain_6_DENY src -j DROP
-A DENYOUT -m set --match-set chain_6_DENY dst -j LOGDROPOUT
-A ALLOWIN -s 2c0f:f248::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2a06:98c0::/29 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2405:8100::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2405:b500::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2803:f800::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2606:4700::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2400:cb00::/32 ! -i lo -p tcp -m tcp --dport 443 -j ACCEPT
-A ALLOWIN -s 2c0f:f248::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2a06:98c0::/29 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2405:8100::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2405:b500::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2803:f800::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2606:4700::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -s 2400:cb00::/32 ! -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A ALLOWIN -m set --match-set chain_6_ALLOW src -j ACCEPT
-A ALLOWOUT -m set --match-set chain_6_ALLOW dst -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
- I`m running Alma Linux 8 -> CL 8: Linux ... 4.18.0-372.9.1.1.lve.el8.x86_64
Checked OS Settings path for IPV6 and they are OK
Tried a complete reinstall of CSF with no effect
Many thanks