I am facing an IPv6 accessibility problem with my server.
- The server is IPv6-capable and is capable of contacting/being contacted by third-parties on IPv6 (
ping6
andtraceroute6
tested on my Debian stable Wheezy, up-to-date) - The DNS IPv6
AAAA
entry for the website is existing and functioning properly - The webserver (nginx) is listening on the IPv6 link and is ready to handle the requests the same way as it is for IPv4
-
ip6tables
INPUT
table is configured to allow HTTP requests just like iptables (default policyDROP
+ TCP 80ACCEPT
rule):Chain INPUT (policy DROP 648 packets, 46788 bytes) pkts bytes target prot opt in out source destination 6 480 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
I narrowed the problem down to the fact that if I set the default policy to ACCEPT
, the HTTP connection works, otherwise not.
Thus, it seems than some other port redirections might be required? oO
Could that be related to some kernel configuration of the routing/IPv6 stack?
Here is the output of sudo ip6tables --line-numbers -nvL
:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8169 784K ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
3 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
4 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Best Answer
Folks, you must not ignore ICMPv6 as you did for legacy IP - ICMPv6 and particularly the Neighbor Discovery Protocol (NDP) is vital for the proper functioning of IPv6. (The NDP, among other things, is a substitute for ARP.)
This means, you must allow at least for ICMPv6 types 133-136 from link local (i.e.
fe80::/10
). Moreover, you must allow certain error messages to arrive, as for instance routers don't fragment any more. You also don't want to drop link local multicast messages.The full story is told in RFC 4890.
Below is an excerpt from one of my machines, a vm host that acts as a router: