retrograde inversion wrote:
optize wrote:
/sbin/ip6tables -A INPUT -p icmp -j ACCEPT
icmp should be icmpv6 here. I would run ifconfig to make sure ipv6 is configured as well.
I was also having trouble with this and the icmpv6 worked for me. I was even having trouble getting Apache to work under IPv6 until I did this.
Unfortunately, I don't really want everyone to be able to ping my server on IPv6, but the following iptables config doesn't allow anything to connect to anywhere:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PINGSAPPROVED icmpv6 any any anywhere anywhere
190 15816 SPAMLIST all any any anywhere anywhere
23 3360 ACCEPT all any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:https
167 12456 LOGNDROP all any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SPAMLIST all any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 79 packets, 7608 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 any any anywhere anywhere
113 10656 SPAMLIST all any any anywhere anywhere
Chain LOGNDROP (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp any any anywhere anywhere limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-TCP: '
0 0 LOG udp any any anywhere anywhere limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-UDP: '
0 0 LOG icmpv6 any any anywhere anywhere limit: avg 6/min burst 5 LOG level debug prefix `Denied IPv6-ICMP: '
167 12456 DROP all any any anywhere anywhere
Chain PINGSAPPROVED (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all any any anywhere anywhere
Chain SPAMLIST (3 references)
pkts bytes target prot opt in out source destination
303 26472 RETURN all any any anywhere anywhere
Chain SPAMLND (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all any any anywhere anywhere limit: avg 6/min burst 5 LOG level debug prefix `SPAMLIST: '
0 0 DROP all any any anywhere anywhere
This mirrors a similar IPv4 iptables setup, but I can't even ping6 out to ipv6.google.com with the above. If I add a "-A INPUT -p icmpv6 -j ACCEPT" then it works fine. Also,
http://ipv6-test.com/validate.php doesn't work with the above, but it works with a full-accept icmp ruleset.
I thought that the "ctstate RELATED,ESTABLISHED" accept line would allow me to ping6 out to anywhere, but it does not.
I'm confused, as well, as to why that validate ipv6 link doesn't see Apache unless I have full ICMPv6 ACCEPT rules in and out?
Am I doing it wrong?
Moreover: Do I really need to block ICMP or ICMPv6 on either iptables or ip6tables or is that just a useless security practice?