IPv6 and ip6tables  [SOLVED]

Locked
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

IPv6 and ip6tables

Post by latifolia »

Is KeyHelp already support for IPv6 by default? Do we need to have separate firewall for IPv4 and IPv6 ?
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: IPv6 and ip6tables

Post by Alexander »

Hello!

Yes KeyHelp supports IPv6 by default.

The KeyHelp firewall is able to handle IPv4 and IPv6. Just enter any IPv4/IPv6 into the input fields and KeyHelp will automatically insert them into the corresponding IPv4 or IPv6 firewall.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

Re: IPv6 and ip6tables

Post by latifolia »

Hello,

Thanks for confirming that KeyHelp is supporting IPv6 by default.

I have tested IPv6 on it but found a problem.

I created UBuntu 20.04 vanilla on AWS, no add ons. IPV6 is long last forever.

But when I installed KeyHelp on it, soon after I keep getting lost of my IPv6 Address :

Code: Select all

systemd-networkd[774]: enp0s3: DHCPv6 lease lost
I try to replicate the problem by installing new instance of Ubuntu 20.04 which always fine without installing anything and always head to same problem after I install KeyHelp on it.

Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew? Or Keyhelp was changing MTU overriding the original ones? Is there anything Keyhelp to do with systemd?

note :
-------
I thought IPv6 is preserved as I always saw it in KeyHelp Panel, turned out that was only saved in configuration panel but in reality the IPv6 has already lost after sometime starting +- 1 hour of reboot. I have tried x64, ARM, AMD based images for Ubuntu and everything was stable/normal but all of them start losing IPV6 after being installed of KeyHelp.
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: IPv6 and ip6tables

Post by Alexander »

Hello,
Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
No, KeyHelp does not affect the current network configuration on the server. Neither via cronjob, via install or other actions triggered by the UI.

Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew?
You may want to view the current IPv6 firewall rules via "ip6tables -S"

Is there anything Keyhelp to do with systemd?
KeyHelp just uses it to read information, or to apply special configurations for example for apache or logrotate, nothing which should interfere with IPv6.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

Re: IPv6 and ip6tables

Post by latifolia »

Hei there again,

After scrutinizing the KeyHelp configurations I think I have narrowed the problem to its core. It is IP6Tables rules that caused DHCPv6 to lose IP lease as in :

Code: Select all

systemd-networkd[774]: enp0s3: DHCPv6 lease lost
I did this experiements on AWS cloud and Oracle cloud and both deliver same results.

To narrow the problems first I disable IP6Tables rules while still keeping IPtables for IPv4 intact :

Code: Select all


IPT6=/usr/sbin/ip6tables

$IPT6 -F
$IPT6 -X
$IPT6 -t nat -F
$IPT6 -t nat -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X

# Setting default filter policy
$IPT6 -P INPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
$IPT6 -P OUTPUT ACCEPT

Then I watch DHCPv6 status via Syslog, leaving it few mins to few hours then restart/reboot and back monitoring again.

Result : IPv6 is no longer lost/gone.

Something is not right with KeyHelp for IP6Tables rules I suspect the problem is in one of these (maybe they worked for IPv4 but not for IPv6?) :

Code: Select all

-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

Can someone comment on this finding?

Regards
User avatar
Daniel
Keyweb AG
Posts: 114
Joined: Mon 25. Jan 2016, 04:42

Re: IPv6 and ip6tables

Post by Daniel »

Hello,

please check, if the packet-counter of the firewall counts up blocked packets after enabling the rules.
You can also add a logging statement there to find the exact cause.

Code: Select all

ip6tables -L -nv --line-numbers

Code: Select all

-j LOG --log-prefix 'rule-X'
I suspect, that the INVALID rule could possibly catch up with a maleformed packet - and drop it.

Otherwise I see the change that the ICMPv6 rules added at the end of the chain could cause this problem.
So propably after router solicitation, the router advertisement gets blocked.

Best for trying/testing, just to allow all icmpv6 types.

Code: Select all

ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT
To be exact, I assume that the inbound icmpv6 type 134, that gets blocked, is the cause.
Mit freundlichen Grüßen / Best regards
Daniel Marckardt

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
https://www.keyweb.de - https://www.keyhelp.de
**************************************************************
User avatar
latifolia
Posts: 42
Joined: Wed 18. Aug 2021, 09:08

Re: IPv6 and ip6tables

Post by latifolia »

Hello,

After rigourous testings we finally find the Culprit! that is per this article from Huawei, IP6Tables should not block port 546 on client side (Server use 547).
  • DHCPv6 clients only process DHCPv6 packets with UDP port number 546.
  • DHCPv6 servers and relay agents only process DHCPv6 packets with UDP port number 547.
We put this on Ip6Tables as :

Code: Select all

/usr/sbin/ip6tables  -I INPUT -p udp --dport 546 -j ACCEPT
The result :
Port 546 should be open for IPv6 to work
Port 546 should be open for IPv6 to work
It is been more than 3 hours without losing IP both on AWS Cloud and Oracle Cloud!

Regards
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: IPv6 and ip6tables  [SOLVED]

Post by Alexander »

Nice find ;).

You can - and I highly encourage to do so - add this also via the KeyHelp firewall UI.
This way the firewall rules will survive a reboot and you do not have to take care of this.
1.png
With KeyHelp 21.2 | With the current KeyHelp version, one can not put a ".../0" net mask in the sources input field.
But one could simply put the the port in the UDP input field. This will result having this port open for both IPv4 and IPv6.

With KeyHelp 21.3 | For the upcoming KeyHelp version, i have updated the form validation, then you will be able to put "::/0" into the sources and this will result in the rule only being put into the IPv6 table.

Which will result in the following rules for IPv6:

Code: Select all

root@dev01:~# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30500 -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p tcp -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p udp -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m limit --limit 10/sec --limit-burst 20 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s ::1/128 ! -i lo -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Locked