IPv6 and ip6tables
Posted: Sun 28. Nov 2021, 15:46
Is KeyHelp already support for IPv6 by default? Do we need to have separate firewall for IPv4 and IPv6 ?
Das offizielle KeyHelp Forum der Keyweb AG / The official KeyHelp forum of Keyweb AG
https://community.keyhelp.de/
Code: Select all
systemd-networkd[774]: enp0s3: DHCPv6 lease lost
No, KeyHelp does not affect the current network configuration on the server. Neither via cronjob, via install or other actions triggered by the UI.Is there any CRON mechanism in KeyHelp which affecting IPv6 DHCP ? making it lost connections? Lease timed out?
You may want to view the current IPv6 firewall rules via "ip6tables -S"Or is it because of IP6Tables rules that prevent some kind of communications so it can not renew?
KeyHelp just uses it to read information, or to apply special configurations for example for apache or logrotate, nothing which should interfere with IPv6.Is there anything Keyhelp to do with systemd?
Code: Select all
systemd-networkd[774]: enp0s3: DHCPv6 lease lost
Code: Select all
IPT6=/usr/sbin/ip6tables
$IPT6 -F
$IPT6 -X
$IPT6 -t nat -F
$IPT6 -t nat -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
# Setting default filter policy
$IPT6 -P INPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
$IPT6 -P OUTPUT ACCEPT
Code: Select all
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
Code: Select all
ip6tables -L -nv --line-numbers
Code: Select all
-j LOG --log-prefix 'rule-X'
Code: Select all
ip6tables -I INPUT 2 -p icmpv6 -j ACCEPT
We put this on Ip6Tables as :
- DHCPv6 clients only process DHCPv6 packets with UDP port number 546.
- DHCPv6 servers and relay agents only process DHCPv6 packets with UDP port number 547.
Code: Select all
/usr/sbin/ip6tables -I INPUT -p udp --dport 546 -j ACCEPT
Code: Select all
root@dev01:~# ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30500 -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p tcp -j ACCEPT
-A INPUT -s 2001:1b60:1000:5::/64 -p udp -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m limit --limit 10/sec --limit-burst 20 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s ::1/128 ! -i lo -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT