Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: [solved] Problem with ufw rules  (Read 4311 times)

tapin

  • Newbie
  • *
  • Posts: 2
[solved] Problem with ufw rules
« on: February 24, 2011, 02:02:35 PM »

I have some services I do not want to be exposed running on this server so I need to enable a firewall. When the firewall is enabled the sever running the tunnel has ipv6 conectivity as normal everything is ok but clients on the lan lose connectivity, when i issue a ping from a windows client:

Code: [Select]
D:\>ping ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8006::68] with 32 bytes of data:
Request timed out.

I see assocated block messages in /var/log/messages

Code: [Select]
Feb 24 21:52:49 redshift kernel: [90746.567197] [UFW BLOCK] IN=eth0 OUT=he-ipv6 SRC=2001:0470:1f09:15bd:f905:2ab5:0e3f:d0cd DST=2a00:1450:8006:0000:0000:0000:0000:0068 LEN=80 TC=0 HOPLIMIT=127 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1 SEQ=187

Unfortuantly I have no idea what rule I need to put in to allow this as even setting the incoming default to allow does not solve this issue, so im hoping somone better at linux firewalls than I am can help. When the firewall is turned off everything works as expected.

ufw status verbose:
Code: [Select]
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.1.0/24
22                         ALLOW IN    Anywhere (v6)
443                        ALLOW IN    Anywhere (v6)
80                         ALLOW IN    Anywhere (v6)

ifconfig
Code: [Select]
eth0      Link encap:Ethernet  HWaddr 00:21:85:53:b8:12
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::221:85ff:fe53:b812/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:683742 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1231665 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:53259912 (53.2 MB)  TX bytes:1701283117 (1.7 GB)
          Interrupt:26 Base address:0x8000

he-ipv6   Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:1f08:15bd::2/64 Scope:Global
          inet6 addr: fe80::c0a8:16e/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:37374 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7430443 (7.4 MB)  TX bytes:2550713 (2.5 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:100308 (100.3 KB)  TX bytes:100308 (100.3 KB)

The server is running Ubuntu 10.04.2 LTS
« Last Edit: February 24, 2011, 02:31:59 PM by tapin »
Logged

tapin

  • Newbie
  • *
  • Posts: 2
Re: Problem with ufw rules
« Reply #1 on: February 24, 2011, 02:30:56 PM »

 ::) so after spening hours on this after posting the message I came to the solution.

The default forward policy in /etc/default/ufw was set to drop so set it to accept...

Code: [Select]
DEFAULT_FORWARD_POLICY="ACCEPT"

and everything works fine!

Hopefully this might save somone a couple of hours!

Logged

arip

  • Newbie
  • *
  • Posts: 1
Re: [solved] Problem with ufw rules
« Reply #2 on: June 27, 2011, 10:05:50 AM »

Instead of changing the policy to allowing all incoming traffic (which sort of defeats most of the purpose of a firewall), you can do this to allow IPv6 tunneled traffic from HE, and then any IPv6 rules will match on your tunnel interface.

ufw allow proto ipv6 from 209.51.161.14

Replace 209.51.161.14 with your HE tunnel server.
« Last Edit: June 27, 2011, 10:08:58 AM by arip »
Logged