• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

ip6tables - stateful routed firewall help

Started by sysgeek, September 05, 2010, 09:10:25 AM

Previous topic - Next topic

sysgeek

Hey everybody,

I keep running into a wall on when turning on ip6tables. I'm using my Linux box as a network firewall to connect to the IPv4 Internet as well as the IPv6 Internet. On the IPv4 Internet, I'm using iptables to do NAT and stateful filtering. For IPv6, I'm connecting to tunnelbroker via pptp, then pushing my IPv6 routes through the pptp tunnel. That all works perfectly, but when I turn on ip6tables, the stateful filters don't get built for some reason when traffic passes through the firewall.

Here is what my ip6tables look like:


[root@darkstar ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere           rt type:0

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere           rt type:0
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     esp      anywhere             anywhere
ACCEPT     ah       anywhere             anywhere
ACCEPT     all      anywhere             anywhere           state NEW
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
REJECT     all      anywhere             anywhere           reject-with icmp6-port-unreachable


And here is a tcpdump of traffic going through my ipv6 tunnel. The first eight lines are a icmp6 ping to ipv6.google.com, which is successful. The remaining lines are me trying to telnet to TCP port 80 to ipv6.google.com. As you can see, My initial outbound packet is successful, and I get an acknowledgment from Google. After that, the stateful stream appears to close and I start getting the default reject code from ip6tables as google tries to send me more data to my source port that had already been opened. Any ideas?


[root@darkstar ~]# tcpdump -i sixbone -vv
tcpdump: WARNING: sixbone: no IPv4 address assigned
tcpdump: listening on sixbone, link-type RAW (Raw IP), capture size 96 bytes
10:51:55.727005 IP6 (hlim 127, next-header: ICMPv6 (58), length: 40) 2001:470:####::2 > gy-in-x68.1e100.net: [icmp6 sum ok] ICMP6, echo request, length 40, seq 1033
10:51:55.829533 IP6 (class 0x80, hlim 56, next-header: ICMPv6 (58), length: 40) gy-in-x68.1e100.net > 2001:470:####::2: [icmp6 sum ok] ICMP6, echo reply, length 40, seq 1033
10:51:56.727815 IP6 (hlim 127, next-header: ICMPv6 (58), length: 40) 2001:470:####::2 > gy-in-x68.1e100.net: [icmp6 sum ok] ICMP6, echo request, length 40, seq 1034
10:51:56.806925 IP6 (class 0x80, hlim 56, next-header: ICMPv6 (58), length: 40) gy-in-x68.1e100.net > 2001:470:####::2: [icmp6 sum ok] ICMP6, echo reply, length 40, seq 1034
10:51:57.728841 IP6 (hlim 127, next-header: ICMPv6 (58), length: 40) 2001:470:####::2 > gy-in-x68.1e100.net: [icmp6 sum ok] ICMP6, echo request, length 40, seq 1035
10:51:57.817087 IP6 (class 0x80, hlim 56, next-header: ICMPv6 (58), length: 40) gy-in-x68.1e100.net > 2001:470:####::2: [icmp6 sum ok] ICMP6, echo reply, length 40, seq 1035
10:51:58.730858 IP6 (hlim 127, next-header: ICMPv6 (58), length: 40) 2001:470:####::2 > gy-in-x68.1e100.net: [icmp6 sum ok] ICMP6, echo request, length 40, seq 1036
10:51:58.819369 IP6 (class 0x80, hlim 56, next-header: ICMPv6 (58), length: 40) gy-in-x68.1e100.net > 2001:470:####::2: [icmp6 sum ok] ICMP6, echo reply, length 40, seq 1036

10:52:04.159429 IP6 (hlim 63, next-header: TCP (6), length: 32) 2001:470:####::2.50972 > gy-in-x68.1e100.net.http: S, cksum 0x4483 (correct), 2882457998:2882457998(0) win 8192 <mss 1440,nop,wscale 8,nop,nop,sackOK>
10:52:04.239276 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:04.239335 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:07.169028 IP6 (hlim 63, next-header: TCP (6), length: 32) 2001:470:####::2.50972 > gy-in-x68.1e100.net.http: S, cksum 0x4483 (correct), 2882457998:2882457998(0) win 8192 <mss 1440,nop,wscale 8,nop,nop,sackOK>
10:52:07.238546 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:07.238600 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:07.254015 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:07.254051 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:13.180050 IP6 (hlim 63, next-header: TCP (6), length: 28) 2001:470:####::2.50972 > gy-in-x68.1e100.net.http: S, cksum 0x5892 (correct), 2882457998:2882457998(0) win 8192 <mss 1440,nop,nop,sackOK>
10:52:13.258592 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:13.258648 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:13.259738 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:13.259776 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:23.256642 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:23.256712 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:33.257584 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:33.257662 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972
10:52:43.276180 IP6 (class 0x80, hlim 56, next-header: TCP (6), length: 32) gy-in-x68.1e100.net.http > 2001:470:####::2.50972: S, cksum 0x45c1 (correct), 3383770784:3383770784(0) ack 2882457999 win 5760 <mss 1410,nop,nop,sackOK,nop,wscale 6>
10:52:43.276252 IP6 (hlim 64, next-header: ICMPv6 (58), length: 80) #######-1-pt.tunnel.tserv8.dal1.ipv6.he.net > gy-in-x68.1e100.net: ICMP6, destination unreachable, length 80, unreachable port, 2001:470:####::2 tcp port 50972

lukec

It looks like if...

QuoteThe remaining lines are me trying to telnet to TCP port 80 to ipv6.google.com.

You don't appear to be "telnet ipv6.google.com 80" but rather gy-in-x68.1e100.net http(80)
I would have thought you would see

21:57:51.262372 IP6 #####.#####-v6.com.61370 > 2a00:1450:8004::63.http: Flags [P.], ack 1, win 8213, options [nop,nop,TS val 485015376 ecr 1673629206], length 5
21:57:51.340758 IP6 2a00:1450:8004::63.http > #####.#####-v6.com.61370: Flags [.], ack 11, win 90, options [nop,nop,TS val 1673632877 ecr 485015376], length 0
21:57:51.343344 IP6 2a00:1450:8004::63.http > #####.#####-v6.com.61370: Flags [.], ack 11, win 90, options [nop,nop,TS val 1673632878 ecr 485015376], length 1208
21:57:51.343761 IP6 2a00:1450:8004::63.http > #####.#####-v6.com.61370: Flags [P.], ack 11, win 90, options [nop,nop,TS val 1673632878 ecr 485015376], length 286
21:57:51.343775 IP6 #####.#####-v6.com.61370 > 2a00:1450:8004::63.http: Flags [.], ack 1495, win 8177, options [nop,nop,TS val 485015457 ecr 1673632878], length 0
21:57:51.344171 IP6 2a00:1450:8004::63.http > #####.#####-v6.com.61370: Flags [F.], seq 1495, ack 11, win 90, options [nop,nop,TS val 1673632878 ecr 485015376], length 0
21:57:51.344184 IP6 #####.#####-v6.com.61370 > 2a00:1450:8004::63.http: Flags [.], ack 1496, win 8213, options [nop,nop,TS val 485015458 ecr 1673632878], length 0
21:57:51.344223 IP6 #####.#####-v6.com.61370 > 2a00:1450:8004::63.http: Flags [F.], seq 11, ack 1496, win 8213, options [nop,nop,TS val 485015458 ecr 1673632878], length 0
21:57:51.427743 IP6 2a00:1450:8004::63.http > #####.#####-v6.com.61370: Flags [.], ack 12, win 90, options [nop,nop,TS val 1673632965 ecr 485015458], length 0



dig +short AAAA ipv6.google.com
ipv6.l.google.com.
2a00:1450:8004::67


Interesting (it was :63) when I tried...

Your stateful is to ipv6.google.com but you're getting responses from gy-in-x68.1e100.net which is not running anything on port 80 ??

dig +short AAAA gy-in-x68.1e100.net
2001:4860:8003::68


Why, well not sure I can answer that, unless possibly TRT Google are clever enough AND gy-in-x68.1e100.net  is Google?


whois -h 199.71.0.46 2001:4860:8003::68
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 2001:4860:8003::68"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=2001:4860:8003::68?showDetails=true&showARIN=false
#

NetRange:       2001:4860:: - 2001:4860:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2001:4860::/32
OriginAS:       AS15169
NetName:        GOOGLE-IPV6
NetHandle:      NET6-2001-4860-1
Parent:         NET6-2001-4800-0
NetType:        Direct Allocation
NameServer:     NS2.GOOGLE.COM
NameServer:     NS3.GOOGLE.COM
NameServer:     NS4.GOOGLE.COM
NameServer:     NS1.GOOGLE.COM
RegDate:        2005-03-14
Updated:        2007-09-28
Ref:            http://whois.arin.net/rest/net/NET6-2001-4860-1


OrgName:        Google Inc.
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2009-08-07
Ref:            http://whois.arin.net/rest/org/GOGL

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

RTechHandle: ZG39-ARIN
RTechName:   Google Inc
RTechPhone:  +1-650-253-0000
RTechEmail:  arin-contact@google.com
RTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

RNOCHandle: ZG39-ARIN
RNOCName:   Google Inc
RNOCPhone:  +1-650-253-0000
RNOCEmail:  arin-contact@google.com
RNOCRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

RAbuseHandle: ZG39-ARIN
RAbuseName:   Google Inc
RAbusePhone:  +1-650-253-0000
RAbuseEmail:  arin-contact@google.com
RAbuseRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



In my "stateful" (not iptables - Cisco) I get

IPv6 access list outside-tcp (reflexive) (per-user)
permit tcp host 2A00:1450:8004::63 eq www host 2001:470:xxxx:xxxx:xxxx:xxxx:xxxx:xx eq 61370 timeout 300 (time left 203) sequence 906


Does this help?
Rgds
Luke

patrickdk

1e100.net is a google domain name.

I haven't attempted to do ip6tables by hand, but use shorewall and shorewall6 to handle my firewall rules.

lukec

Yes, as before,  gy-in-x68.1e100.net is google and a "telnet gy-in-x68.1e100.net 80" happily produces this:-

tcpdump host gy-in-x68.1e100.net

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
12:16:51.933659 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [S], seq 220603223, win 65535, options [mss 1440,nop,wscale 3,sackOK,TS val 536624913 ecr 0], length 0
12:16:52.074162 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [S.], seq 1762623067, ack 220603224, win 5592, options [mss 1410,sackOK,TS val 2535807291 ecr 536624913,nop,wscale 6], length 0
12:16:52.074198 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [.], ack 1, win 8213, options [nop,nop,TS val 536625053 ecr 2535807291], length 0
12:16:58.041141 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [P.], ack 1, win 8213, options [nop,nop,TS val 536631031 ecr 2535807291], length 5
12:16:58.181311 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [.], ack 6, win 88, options [nop,nop,TS val 2535813398 ecr 536631031], length 0
12:17:03.717980 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [P.], ack 1, win 8213, options [nop,nop,TS val 536636719 ecr 2535813398], length 6
12:17:03.857255 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [.], ack 12, win 88, options [nop,nop,TS val 2535819074 ecr 536636719], length 0
12:17:03.863416 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [.], ack 12, win 88, options [nop,nop,TS val 2535819074 ecr 536636719], length 1208
12:17:03.864455 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [P.], ack 12, win 88, options [nop,nop,TS val 2535819074 ecr 536636719], length 286
12:17:03.864475 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [.], ack 1495, win 8177, options [nop,nop,TS val 536636866 ecr 2535819074], length 0
12:17:03.864865 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [F.], seq 1495, ack 12, win 88, options [nop,nop,TS val 2535819074 ecr 536636719], length 0
12:17:03.864876 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [.], ack 1496, win 8213, options [nop,nop,TS val 536636866 ecr 2535819074], length 0
12:17:03.864939 IP6 xxxxxx.xxxxxx-v6-v6.com.45188 > gy-in-x68.1e100.net.http: Flags [F.], seq 12, ack 1496, win 8213, options [nop,nop,TS val 536636866 ecr 2535819074], length 0
12:17:04.008262 IP6 gy-in-x68.1e100.net.http > xxxxxx.xxxxxx-v6-v6.com.45188: Flags [.], ack 13, win 88, options [nop,nop,TS val 2535819226 ecr 536636866], length 0
^C
14 packets captured
30 packets received by filter
0 packets dropped by kernel


I don't know the shorewall or shorewall6 fw but a quick glance on google came up with this

Quote1)  Previously, the Shorewall6-lite version of shorecap was using
     iptables rather than ip6tables, with the result that many capabilities
     that are only available in IPv4 were being reported as available

from a patch ttp://www.shorewall.com.au/4.4/shorewall-4.4.12/patch-6-lite-4.4.12.1

Probably has nothing to do with it...but...
Rgds
Luke

sttun

#4
What kernel version are you running?  Statefull ipv6 fire-walling was not included before 2.6.20 for more info : http://www.sixxs.net/wiki/IPv6_Firewalling


History;
2010.09.20 17:48 cet; corrected typos

snarked

Your rulesets are poorly written.  You have places where rules will never be reached.

Example 1:
QuoteChain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere           rt type:0
With the accept accepting everything, the drop will never be reached.

Example 2:
QuoteChain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
...
ACCEPT     all      anywhere             anywhere           state NEW
...
ACCEPT     tcp      anywhere             anywhere           state NEW tcp dpt:ssh
The first line above will take everything, and even if it didn't, the second line will prevent the third line from being reached.

Rules are processed in the order listed within a ruleset.