| Posted by RandomThoughts, 10-29-2010, 10:23 AM | | Hi all,
Trying to impliment ip6tables, but when I do a 'service ip6tables start', it locks my VPS out to all IPv6 connections. There are errors when it starts (see below), but I've Googled these & came to the conclusion that they shouldn't be a problem.
[root@cassiopeia ~]# service ip6tables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw mangle filter [FAILED]
Unloading ip6tables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
[ OK ]
Applying ip6tables firewall rules: [ OK ]
I'm sure my ip6tables rules are fine because I'm using them successfully on two other VPS's
Any clues?
|
| Posted by gigatux, 10-29-2010, 10:54 AM | | Do you have your /proc filesystem mounted? Can you do ls /proc ?
|
| Posted by RandomThoughts, 10-29-2010, 11:08 AM | | I can, but the directory '/proc/modules' doesn't exist, from Googling I didn't think that was a problem
|
| Posted by gigatux, 10-29-2010, 11:10 AM | | Perhaps ipv6tables requires a properly mounted /proc filesystem. Do you have any files in /proc ? Does 'mount' show /proc as mounted?
|
| Posted by RandomThoughts, 10-29-2010, 11:22 AM | | Plent of files in /proc, which is mounted. Just been doing a bit more Googling & I think I'm going to have to ask my provider (RapidXen) to try & sort this.
|
| Posted by DigitalLinx, 10-29-2010, 11:06 PM | | If this is an openvz VPS, then the ipv6tables modules must be explicitly enabled on your VM.
|
| Posted by RandomThoughts, 10-30-2010, 08:05 AM | | My understaning is it's a Xen VPS (supplied bye RapidXen)
|
| Posted by RandomThoughts, 10-30-2010, 09:28 AM | | Getting to the crux of the problem, on advice from RapidXen support, I 'fed' in each rule individually to check the response. At this point the default policy was ACCEPT. After adding each rule I got to the one that hasn't caused problems on two other VPS's -
ip6tables -A INPUT -j DROP
This was the last rule in the list & my understanding is that ip6tables should check all previous rules for a match before using this one. This doesn't seem to be the case however, all IPv6 connectivity is lost when adding this rule.
Removing this rule but then setting the default policy to DROP has the same effect.
This is the current (working) rule set, though with a default policy of ACCEPT it's pretty redundant
[root@cassiopeia ~]# ip6tables -L -n -v
Chain INPUT (policy ACCEPT 132 packets, 9488 bytes)
pkts bytes target prot opt in out source destination
1176 164K ACCEPT all eth0 * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT all lo * ::/0 ::/0
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x3F/0x00
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x03/0x03
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x06/0x06
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x05/0x05
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x11/0x01
0 0 DROP tcp eth0 * ::/0 ::/0 tcp flags:0x30/0x20
0 0 ACCEPT icmpv6 * * ::/0 ::/0 limit: avg 1/sec burst 5 ipv6-icmp type 8
3 216 ACCEPT tcp eth0 * ::/0 ::/0 tcp dpt:22
0 0 ACCEPT tcp eth0 * ::/0 ::/0 tcp dpt:25
0 0 ACCEPT tcp eth0 * ::/0 ::/0 tcp dpt:53
0 0 ACCEPT udp eth0 * ::/0 ::/0 udp dpt:53
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1028 packets, 211K bytes)
pkts bytes target prot opt in out source destination
[root@cassiopeia ~]#
|
| Posted by kaniini, 11-03-2010, 02:39 AM | | As I mentioned on your ticket, I think your connection tracking table is empty for IPv6, but that really shouldn't be the case, as the 2.6.32 kernel profile contains all the needed support bits to ensure it's working...
It's a pretty interesting problem, as everything you need to ensure that the RELATED/ESTABLISHED rule is working is there.
What kernel version is your other VPSes running?
|
|
 Add to Favourites
 Print this Article
|
