I've reviewed a variety of netfilter, iptables, and ip6tables resources. I've searched Google, including StackExchange websites for information, and, I can't find easy or clear links to information regarding differences between how iptables and ip6tables process packets.
Here are my standard iptables rules:
* filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
Similar rules are also in place for both incoming & outgoing HTTP, and DNS resolution, as well as basic ICMP (v4 0, 3, 8, 11, 12).
When I use ip6tables to put the same rules in place, my server response to both HTTP, SSH and ICMP connections with "host is down."
I can set the preliminary rules to:
-P INPUT ACCEPT
-P OUTPUT ACCEPT
And this opens the server back up again. But it doesn't filter packets (arbitrary rules for all packets, less FORWARD).
I've tried appending:
-A INPUT -i eth0 -j DROP
But, again, this starts causing issues.
Double and triple checked with telnet among other packet verification (server logs just simply drop connections if DROP is used, same for REJECT).
Alternatively, I've also seen rule-sets which are simple ACCEPT (all) with dport and sport ranges excepting the required rules.
In a nutshell, I'm used to the typical iptables (ipv4) rules which DROP everything, except the following rules.
Ideally, I'm looking for links or information which provide in-depth, detailed technical information about differences between how iptables and ip6tables process (and drop or accept) packets differently.
It would seem ip6tables will DROP everything arbitrarily if these are the basic proto rules, BUT, where not accepted in the first set of rules, the latter rule I've tried to DROP all interface INPUT continues to cause issues (given the initial set of rules is to ACCEPT, but have nowhere to go).
FWIW: This is Debian Jessie (v8) on a dist-upgrade from Debian Wheezy (v7) on a DigitalOcean droplet. Everything else runs kosher except for the ip6tables rules (server becomes unavailable to ipv6 resources).
Original posted on StackOverflow, deleted, copy/pasted here on ServerFault (suggested more relevant).
Best Answer
Your rules are dropping ICMP. This is wrong for both IPv4 and IPv6, and it will notably break PMTU discovery; however, most IPv4 stacks implement workarounds for this (very common) kind of misconfiguration. For IPv6, however, many things will be broken, notably access from Teredo hosts.
A simple solution is to add rules to allow ICMP:
A potentially more secure solution is to allow just the types of ICMP messages that are necessary for proper functionality, by following the recommendations of RFC 4890.