My nftables rules blocks IPv6

ipv6nftables

My nftables.conf simply runs flush ruleset then includes my firewall rules. I’ve copied them from the Arch wiki. So the included firewall.rules contains:

# An iptables-like firewall

table firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmp type echo-request accept

    # open tcp ports
    tcp dport {http, https, ...} accept

    # open udp ports
    udp dport {...} accept

    # drop everything else
    drop
  }
}

table ip6 firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept

    # open tcp ports
    tcp dport {http, https, ....} accept

    # open udp ports
    udp dport {...} accept

    # drop everything else
    drop
  }
}

So when everything is loaded I can’t use IPv6, ping6 errors with

From ams16s21-in-x0e.1e100.net icmp_seq=1 Destination unreachable: Address unreachable

However, if I run sudo nft flush table ip6 firewall, ping6 immediately starts working as expected. If I then re-establish the ip6 firewall table, IPv6 connectivity doesn’t fail immediately, but waiting a few minutes I find the ping6 command returning the aforementioned error.

My hosting provider doesn’t provide any IPv6 auto-configuration or router-advertisements at the network level fwiw.

Anyone seen anything like this before?

Best Answer

IPv6 connectivity doesn’t fail immediately, but waiting a few minutes I find the ping6 command returning the aforementioned error.

I would guess you have broken neigbour discovery. Initially things keep working because you already have things in the neighbour discovery cache but later the entries time out.

You appear to be allowing neighbour solicit messages but not neighbour advertisement messages.

Related Solutions

Return packets via squid running as tproxy not working

I found the problem, two rules missing that I assumed that shorewall should have been inserting, running the following resolves the problem.

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -I tcpre 1 -p tcp -m socket -j DIVERT

Firewall – UDP hole punching still required in IPv6, even without NAT

Before answering the questions, I'd like to address some of the assumptions in it.

The firewalling properties of NAT were also beneficial for security.

This is often-repeated, but simply not true; see below.

IPv4 NAT firewall rules are "block incoming packet remote-address:port -> local-address:port, unless sent outgoing packet local-address:port -> remote-address:port within the last X seconds".

These are not NAT rules, but stateful rules. Stateful rules are more secure than the old-style stateless rules that preceded them, because they are essentially adaptive; that is, the firewall's careful study of the outbound traffic permits it to make finer judgements about inbound traffic than mere port/address-based rules would allow.

It is certainly true that NAT firewalls are implicitly stateful, but it is important to recognise that statefulness is what you're after, not NAT, because NAT has a very bad reputation in certain corners of the ipv6 community, and there is as you have seen much resistance to implementing it in ipv6.

The UDP "introducer" process you describe is not restricted to NAT scenarios, but also applies whenever a service does not rely on a single well-known port number. RPC is the classic example, whereby services bind to a (semi-)random port, then register that port and their names with the portmapper, which does use a well-known port (111/TCP and 111/UDP). Clients wishing to connect contact the portmapper to find out which port their desired service is running on today, then initiate connections to that port. This is exactly what your diagram shows, and it happens millions of times every day on flat (non-NATted) networks all over the world which are running NFS.

As for your questions, question (1) should really read "If my ipv6 firewall is configured to refuse inbound UDP traffic without matching state, will my UDP client still need to initiate all arbitrary connections to external services". The answer, unfortunately, is "it depends". Stateful extensions such as the RELATED extension in iptables do allow firewalls to permit traffic that doesn't have simple matching state on the basis that a pre-existing connection has asked for this at the application layer - active-mode FTP being the classic example - but it requires a kernel module that understands the details of the protocol in question, and the deployment of end-to-end encryption makes such deep packet inspection increasingly hard. So, without such workarounds, the answer to question 1 is yes. This is equally true for TCP services without a well-known port number, by the way.

As for question (2), an exhaustive survey of SOHO equipment is probably outwith ServerFault's remit and capabilities, but I have not in many years seen a firewall appliance - v4 or v6 - that shipped with a default open configuration.

Best Answer

Related Solutions

Return packets via squid running as tproxy not working

Firewall – UDP hole punching still required in IPv6, even without NAT

Related Topic