View previous topic :: View next topic |
Author |
Message |
nocomprom1se n00b
Joined: 17 Dec 2013 Posts: 6
|
Posted: Wed Dec 18, 2013 9:59 pm Post subject: unable to get server publicly reached (ipv6 only, iptables) |
|
|
Hello dear community (first post here),
I'm struggling to get my homeserver-setup publicly available over IPv6 because i got no public IPv4 (DS-Lite).
Well i dont know if its the core of my problem, but my server wont accept the fwbuilder-generated iptables-rules without errors.
running the config:
Code: | # sh fwbuilder_config
Activating firewall script generated Thu Dec 12 18:45:55 2013 by tds
Running prolog script
Verifying interfaces: eth0 lo
iptables: No chain/target/match by that name.
Rule 0 (eth0)
iptables: No chain/target/match by that name.
Rule 1 (lo)
Rule 2 (global)
iptables: No chain/target/match by that name.
Rule 3 (global)
Rule 4 (global)
iptables: No chain/target/match by that name.
Rule 5 (global)
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Rule 6 (global)
Rule 7 (global)
iptables: No chain/target/match by that name.
Running epilog script |
what iptables understood:
Code: | # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.178.23 anywhere tcp dpt:ssh state NEW,ESTABLISHED
drop_invalid all -- anywhere anywhere state INVALID
In_RULE_0 all -- localhost localhost
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state NEW
ACCEPT icmp -- anywhere anywhere icmptype 0 code 0 state NEW
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-transit state NEW
ACCEPT icmp -- anywhere anywhere icmp ttl-zero-during-reassembly state NEW
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-host-unreachable
RULE_7 all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.178.23 tcp spt:ssh state RELATED,ESTABLISHED
drop_invalid all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
Chain In_RULE_0 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain RULE_7 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain drop_invalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere |
What iptables should get:
https://pastebin.com/4FsZhvTy
The Servers IP begins with "2a02:908:", do you know if this IP is considered public or is it a prefix associated with local IPs? |
|
Back to top |
|
|
mtfj n00b
Joined: 17 Jun 2012 Posts: 8
|
Posted: Sat Dec 21, 2013 7:13 am Post subject: |
|
|
hi, maybe start with ip6tables and ifconfig to see ipv6 address is actually assigned to your NIC? _________________ Masatsugu FUJINAKA |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21497
|
Posted: Sat Dec 21, 2013 5:24 pm Post subject: |
|
|
That script is broken by design. You should never use iptables to bulk load rules. Always use iptables-restore, which can load the entire state atomically.
Similarly, you should never use iptables to produce output when requesting help. Always use iptables-save, which prints the rules in an unambiguous form.
IPv6 is not handled by iptables. For IPv6, use ip6tables.
You are probably missing one or more netfilter features required by that script. You can find which ones by running the script with individual commands printed so that the failed commands will be interspersed with the error messages. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|