I've recently set up a tunnel for a CentOS server and I thought it might be worth documenting two steps that were necessary before outsiders could connect to my new IP:
(1) iptables needs to allow "protocol 41" connections from HE's Server IPv4 address:
iptables -A INPUT -s xx.xx.xx.xx -p 41 -j ACCEPT
(2) ip6tables needs to allow any needed connections, for example
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
It took me a while to figure it out, so maybe this post will help someone.
those who are using nftables firewall in their server, they can add below rule/line in /etc/nftables.conf file:
ip protocol 41 ip saddr xx.xx.xx.xx accept
the xx.xx.xx.xx is tunnel broker service provider's endpoint-server's ipv4 address.
insert above rule inside the "inet" or "ip" tables/sections, or in both "inet" & "ip" sections.
if you want to be more specific, then:
ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept
the yy.yy.yy.yy is tunnel user's server computer's internet connection's public-side routable ipv4-address . (that is aka, your server's external IPv4-address).
EXTRA INFO:
here is a sample nftables.conf file:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
# ... other sections ...
chain incoming {
type filter hook input priority 0; policy drop;
# Accept any localhost traffic:
iif lo accept
# ICMP handled 1st & to rate limit:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop
# ... For DNS NameServer/Authoritative Server, rate limit rules are here ...
# Accept traffic originated from us (established/related) from this computer:
ct state { established, related } accept
# Accept these ICMP & ICMPv6:
# usually for initial server setup stage, when hardening server then remove whats not necessary:
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
# Accept IGMP:
ip protocol igmp accept
# Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 Tunnel:
ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept
# ip4-adrs of this server, used for all: dns/named/bind/53, sshd/5022, email-related-services, etc:
# ( the IP-adrs yy.yy.yy.yy which is allotted by Server's ISP or VM/Server-Provider, should be set
# as a static/fixed address, in Server's primary network-interface thru /etc/interfaces config file )
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } ip daddr yy.yy.yy.yy accept
udp dport { 53, 80, 443, 5022 } ip daddr yy.yy.yy.yy accept
# ip6-adrs N1 & N2 from HE IPv6 subnet, used for: dns/named/bind/53, email-related-services, etc:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept
udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept
# ip6-adrs N3 from HE subnet, used for: http/80, https/443, dns/unbound/53, etc:
tcp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept
udp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept
# ... other rules for other services that are running in this server ...
# count and drop any other traffic
counter drop
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
table ip filter {
chain incoming {
type filter hook input priority 0; policy drop;
ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop
ct state { established, related } accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept
ip daddr yy.yy.yy.yy tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } accept
ip daddr yy.yy.yy.yy udp dport { 53, 80, 443, 5022 } accept
# ... other IP, IPv4 related rules for other services that are running in this server ...
counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain incoming {
type filter hook input priority 0; policy drop;
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ct state { established, related } accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } accept
ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } udp dport { 53, 80, 443 } accept
ip6 daddr IPv6-Adrs-N3 tcp dport { 53, 80, 443 } accept
ip6 daddr IPv6-Adrs-N3 udp dport { 53, 80, 443 } accept
# ... other IPv6 rules for other services that are running in this server ...
counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
}