I have some services I do not want to be exposed running on this server so I need to enable a firewall. When the firewall is enabled the sever running the tunnel has ipv6 conectivity as normal everything is ok but clients on the lan lose connectivity, when i issue a ping from a windows client:
D:\>ping ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8006::68] with 32 bytes of data:
Request timed out.
I see assocated block messages in /var/log/messages
Feb 24 21:52:49 redshift kernel: [90746.567197] [UFW BLOCK] IN=eth0 OUT=he-ipv6 SRC=2001:0470:1f09:15bd:f905:2ab5:0e3f:d0cd DST=2a00:1450:8006:0000:0000:0000:0000:0068 LEN=80 TC=0 HOPLIMIT=127 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1 SEQ=187
Unfortuantly I have no idea what rule I need to put in to allow this as even setting the incoming default to allow does not solve this issue, so im hoping somone better at linux firewalls than I am can help. When the firewall is turned off everything works as expected.
ufw status verbose:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
443 ALLOW IN Anywhere
80 ALLOW IN Anywhere
Anywhere ALLOW IN 192.168.1.0/24
22 ALLOW IN Anywhere (v6)
443 ALLOW IN Anywhere (v6)
80 ALLOW IN Anywhere (v6)
ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:85:53:b8:12
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::221:85ff:fe53:b812/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:683742 errors:0 dropped:0 overruns:0 frame:0
TX packets:1231665 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:53259912 (53.2 MB) TX bytes:1701283117 (1.7 GB)
Interrupt:26 Base address:0x8000
he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f08:15bd::2/64 Scope:Global
inet6 addr: fe80::c0a8:16e/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:37374 errors:0 dropped:0 overruns:0 frame:0
TX packets:28042 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7430443 (7.4 MB) TX bytes:2550713 (2.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:100308 (100.3 KB) TX bytes:100308 (100.3 KB)
The server is running Ubuntu 10.04.2 LTS
::) so after spening hours on this after posting the message I came to the solution.
The default forward policy in /etc/default/ufw was set to drop so set it to accept...
DEFAULT_FORWARD_POLICY="ACCEPT"
and everything works fine!
Hopefully this might save somone a couple of hours!
Instead of changing the policy to allowing all incoming traffic (which sort of defeats most of the purpose of a firewall), you can do this to allow IPv6 tunneled traffic from HE, and then any IPv6 rules will match on your tunnel interface.
ufw allow proto ipv6 from 209.51.161.14
Replace 209.51.161.14 with your HE tunnel server.