I have an ip6tables firewall generated by fwbuilder. To my eye it seems perfectly reasonable and should work; however, for some reason all traffic (ping, SSH, port 8000) goes to the RULE_14 and gets logged and rejected. Does anyone have any ideas why this could be?
Code: zeip:~$ sudo ip6tables-save # Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Thu Jan 10 15:44:13 2013 # Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013 *raw :PREROUTING ACCEPT [2918:225968] :OUTPUT ACCEPT [78:6240] COMMIT # Completed on Thu Jan 10 15:44:13 2013 # Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013 *mangle :PREROUTING ACCEPT [2918:225968] :INPUT ACCEPT [2728:212288] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [78:6240] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu Jan 10 15:44:13 2013 # Generated by ip6tables-save v1.4.8 on Thu Jan 10 15:44:13 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [78:6240] :In_RULE_1 - [0:0] :RULE_14 - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 8000 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp -m multiport --dports 80,443,22 -m state --state NEW -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp6-port-unreachable -A INPUT -j RULE_14 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp -m tcp -m multiport --dports 9418,80,443,22,43 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -m udp -m multiport --dports 9418,123 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A In_RULE_1 -j LOG --log-prefix "RULE 1 -- DENY " --log-level 6 -A In_RULE_1 -j DROP -A RULE_14 -j LOG --log-prefix "RULE 14 -- DENY " --log-level 6 -A RULE_14 -j DROP COMMIT # Completed on Thu Jan 10 15:44:13 2013
Code: zeip:~$ sudo ip6tables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:8000 state NEW 0 0 ACCEPT tcp * * ::/0 ::/0 tcp multiport dports 80,443,22 state NEW 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 129 code 0 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128 code 0 0 0 REJECT tcp * * ::/0 ::/0 tcp dpt:113 reject-with icmp6-port-unreachable 2775 216K RULE_14 all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 78 packets, 6240 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53 state NEW 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:53 state NEW 0 0 ACCEPT tcp * * ::/0 ::/0 tcp multiport dports 9418,80,443,22,43 state NEW 0 0 ACCEPT udp * * ::/0 ::/0 udp multiport dports 9418,123 state NEW 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 state NEW
Chain In_RULE_1 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 6 prefix `RULE 1 -- DENY ' 0 0 DROP all * * ::/0 ::/0
Chain RULE_14 (1 references) pkts bytes target prot opt in out source destination 2775 216K LOG all * * ::/0 ::/0 LOG flags 0 level 6 prefix `RULE 14 -- DENY ' 2775 216K DROP all * * ::/0 ::/0
When I remove the ip6tables config altogether, ping and all the other services work nicely. Any ideas?
|