IPv6 and ip6tables [SOLVED]
IPv6 and ip6tables
Is KeyHelp already support for IPv6 by default? Do we need to have separate firewall for IPv4 and IPv6 ?
Re: IPv6 and ip6tables
Hello!
Yes KeyHelp supports IPv6 by default.
The KeyHelp firewall is able to handle IPv4 and IPv6. Just enter any IPv4/IPv6 into the input fields and KeyHelp will automatically insert them into the corresponding IPv4 or IPv6 firewall.
Yes KeyHelp supports IPv6 by default.
The KeyHelp firewall is able to handle IPv4 and IPv6. Just enter any IPv4/IPv6 into the input fields and KeyHelp will automatically insert them into the corresponding IPv4 or IPv6 firewall.
Mit freundlichen Grüßen / Best regards
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Re: IPv6 and ip6tables
Hello,
Thanks for confirming that KeyHelp is supporting IPv6 by default.
I have tested IPv6 on it but found a problem.
I created UBuntu 20.04 vanilla on AWS, no add ons. IPV6 is long last forever.
But when I installed KeyHelp on it, soon after I keep getting lost of my IPv6 Address :
I try to replicate the problem by installing new instance of Ubuntu 20.04 which always fine without installing anything and always head to same problem after I install KeyHelp on it.
Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew? Or Keyhelp was changing MTU overriding the original ones? Is there anything Keyhelp to do with systemd?
note :
-------
I thought IPv6 is preserved as I always saw it in KeyHelp Panel, turned out that was only saved in configuration panel but in reality the IPv6 has already lost after sometime starting +- 1 hour of reboot. I have tried x64, ARM, AMD based images for Ubuntu and everything was stable/normal but all of them start losing IPV6 after being installed of KeyHelp.
Thanks for confirming that KeyHelp is supporting IPv6 by default.
I have tested IPv6 on it but found a problem.
I created UBuntu 20.04 vanilla on AWS, no add ons. IPV6 is long last forever.
But when I installed KeyHelp on it, soon after I keep getting lost of my IPv6 Address :
Code: Select all
systemd-networkd[774]: enp0s3: DHCPv6 lease lost
Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew? Or Keyhelp was changing MTU overriding the original ones? Is there anything Keyhelp to do with systemd?
note :
-------
I thought IPv6 is preserved as I always saw it in KeyHelp Panel, turned out that was only saved in configuration panel but in reality the IPv6 has already lost after sometime starting +- 1 hour of reboot. I have tried x64, ARM, AMD based images for Ubuntu and everything was stable/normal but all of them start losing IPV6 after being installed of KeyHelp.
Re: IPv6 and ip6tables
Hello,
No, KeyHelp does not affect the current network configuration on the server. Neither via cronjob, via install or other actions triggered by the UI.Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
You may want to view the current IPv6 firewall rules via "ip6tables -S"Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew?
KeyHelp just uses it to read information, or to apply special configurations for example for apache or logrotate, nothing which should interfere with IPv6.Is there anything Keyhelp to do with systemd?
Mit freundlichen Grüßen / Best regards
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Re: IPv6 and ip6tables
Hei there again,
After scrutinizing the KeyHelp configurations I think I have narrowed the problem to its core. It is IP6Tables rules that caused DHCPv6 to lose IP lease as in :
I did this experiements on AWS cloud and Oracle cloud and both deliver same results.
To narrow the problems first I disable IP6Tables rules while still keeping IPtables for IPv4 intact :
Then I watch DHCPv6 status via Syslog, leaving it few mins to few hours then restart/reboot and back monitoring again.
Result : IPv6 is no longer lost/gone.
Something is not right with KeyHelp for IP6Tables rules I suspect the problem is in one of these (maybe they worked for IPv4 but not for IPv6?) :
Can someone comment on this finding?
Regards
After scrutinizing the KeyHelp configurations I think I have narrowed the problem to its core. It is IP6Tables rules that caused DHCPv6 to lose IP lease as in :
Code: Select all
systemd-networkd[774]: enp0s3: DHCPv6 lease lost
To narrow the problems first I disable IP6Tables rules while still keeping IPtables for IPv4 intact :
Code: Select all
IPT6=/usr/sbin/ip6tables
$IPT6 -F
$IPT6 -X
$IPT6 -t nat -F
$IPT6 -t nat -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
# Setting default filter policy
$IPT6 -P INPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
$IPT6 -P OUTPUT ACCEPT
Result : IPv6 is no longer lost/gone.
Something is not right with KeyHelp for IP6Tables rules I suspect the problem is in one of these (maybe they worked for IPv4 but not for IPv6?) :
Code: Select all
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
Regards
Re: IPv6 and ip6tables
Hello,
please check, if the packet-counter of the firewall counts up blocked packets after enabling the rules.
You can also add a logging statement there to find the exact cause.
I suspect, that the INVALID rule could possibly catch up with a maleformed packet - and drop it.
Otherwise I see the change that the ICMPv6 rules added at the end of the chain could cause this problem.
So propably after router solicitation, the router advertisement gets blocked.
Best for trying/testing, just to allow all icmpv6 types.
To be exact, I assume that the inbound icmpv6 type 134, that gets blocked, is the cause.
please check, if the packet-counter of the firewall counts up blocked packets after enabling the rules.
You can also add a logging statement there to find the exact cause.
Code: Select all
ip6tables -L -nv --line-numbers
Code: Select all
-j LOG --log-prefix 'rule-X'
Otherwise I see the change that the ICMPv6 rules added at the end of the chain could cause this problem.
So propably after router solicitation, the router advertisement gets blocked.
Best for trying/testing, just to allow all icmpv6 types.
Code: Select all
ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT
Mit freundlichen Grüßen / Best regards
Daniel Marckardt
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
https://www.keyweb.de - https://www.keyhelp.de
**************************************************************
Daniel Marckardt
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
https://www.keyweb.de - https://www.keyhelp.de
**************************************************************
Re: IPv6 and ip6tables
Hello,
After rigourous testings we finally find the Culprit! that is per this article from Huawei, IP6Tables should not block port 546 on client side (Server use 547).
The result :
It is been more than 3 hours without losing IP both on AWS Cloud and Oracle Cloud!
Regards
After rigourous testings we finally find the Culprit! that is per this article from Huawei, IP6Tables should not block port 546 on client side (Server use 547).
We put this on Ip6Tables as :
- DHCPv6 clients only process DHCPv6 packets with UDP port number 546.
- DHCPv6 servers and relay agents only process DHCPv6 packets with UDP port number 547.
Code: Select all
/usr/sbin/ip6tables -I INPUT -p udp --dport 546 -j ACCEPT
Regards
Re: IPv6 and ip6tables [SOLVED]
Nice find .
You can - and I highly encourage to do so - add this also via the KeyHelp firewall UI.
This way the firewall rules will survive a reboot and you do not have to take care of this.
With KeyHelp 21.2 | With the current KeyHelp version, one can not put a ".../0" net mask in the sources input field.
But one could simply put the the port in the UDP input field. This will result having this port open for both IPv4 and IPv6.
With KeyHelp 21.3 | For the upcoming KeyHelp version, i have updated the form validation, then you will be able to put "::/0" into the sources and this will result in the rule only being put into the IPv6 table.
Which will result in the following rules for IPv6:
You can - and I highly encourage to do so - add this also via the KeyHelp firewall UI.
This way the firewall rules will survive a reboot and you do not have to take care of this.
With KeyHelp 21.2 | With the current KeyHelp version, one can not put a ".../0" net mask in the sources input field.
But one could simply put the the port in the UDP input field. This will result having this port open for both IPv4 and IPv6.
With KeyHelp 21.3 | For the upcoming KeyHelp version, i have updated the form validation, then you will be able to put "::/0" into the sources and this will result in the rule only being put into the IPv6 table.
Which will result in the following rules for IPv6:
Code: Select all
root@dev01:~# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30500 -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p tcp -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p udp -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m limit --limit 10/sec --limit-burst 20 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s ::1/128 ! -i lo -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
Mit freundlichen Grüßen / Best regards
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Alexander Mahr
**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************