• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

[solved] Problem with ufw rules

Started by tapin, February 24, 2011, 02:02:35 PM

Previous topic - Next topic

tapin

I have some services I do not want to be exposed running on this server so I need to enable a firewall. When the firewall is enabled the sever running the tunnel has ipv6 conectivity as normal everything is ok but clients on the lan lose connectivity, when i issue a ping from a windows client:


D:\>ping ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8006::68] with 32 bytes of data:
Request timed out.


I see assocated block messages in /var/log/messages


Feb 24 21:52:49 redshift kernel: [90746.567197] [UFW BLOCK] IN=eth0 OUT=he-ipv6 SRC=2001:0470:1f09:15bd:f905:2ab5:0e3f:d0cd DST=2a00:1450:8006:0000:0000:0000:0000:0068 LEN=80 TC=0 HOPLIMIT=127 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1 SEQ=187


Unfortuantly I have no idea what rule I need to put in to allow this as even setting the incoming default to allow does not solve this issue, so im hoping somone better at linux firewalls than I am can help. When the firewall is turned off everything works as expected.

ufw status verbose:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.1.0/24
22                         ALLOW IN    Anywhere (v6)
443                        ALLOW IN    Anywhere (v6)
80                         ALLOW IN    Anywhere (v6)


ifconfig

eth0      Link encap:Ethernet  HWaddr 00:21:85:53:b8:12
         inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: fe80::221:85ff:fe53:b812/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:683742 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1231665 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:53259912 (53.2 MB)  TX bytes:1701283117 (1.7 GB)
         Interrupt:26 Base address:0x8000

he-ipv6   Link encap:IPv6-in-IPv4
         inet6 addr: 2001:470:1f08:15bd::2/64 Scope:Global
         inet6 addr: fe80::c0a8:16e/128 Scope:Link
         UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
         RX packets:37374 errors:0 dropped:0 overruns:0 frame:0
         TX packets:28042 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:7430443 (7.4 MB)  TX bytes:2550713 (2.5 MB)

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:100308 (100.3 KB)  TX bytes:100308 (100.3 KB)


The server is running Ubuntu 10.04.2 LTS

tapin

 ::) so after spening hours on this after posting the message I came to the solution.

The default forward policy in /etc/default/ufw was set to drop so set it to accept...


DEFAULT_FORWARD_POLICY="ACCEPT"


and everything works fine!

Hopefully this might save somone a couple of hours!


arip

#2
Instead of changing the policy to allowing all incoming traffic (which sort of defeats most of the purpose of a firewall), you can do this to allow IPv6 tunneled traffic from HE, and then any IPv6 rules will match on your tunnel interface.

ufw allow proto ipv6 from 209.51.161.14

Replace 209.51.161.14 with your HE tunnel server.