Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
unable to get server publicly reached (ipv6 only, iptables)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nocomprom1se
n00b
n00b


Joined: 17 Dec 2013
Posts: 6

PostPosted: Wed Dec 18, 2013 9:59 pm    Post subject: unable to get server publicly reached (ipv6 only, iptables) Reply with quote

Hello dear community (first post here),

I'm struggling to get my homeserver-setup publicly available over IPv6 because i got no public IPv4 (DS-Lite).

Well i dont know if its the core of my problem, but my server wont accept the fwbuilder-generated iptables-rules without errors.

running the config:
Code:
# sh fwbuilder_config
Activating firewall script generated Thu Dec 12 18:45:55 2013 by tds
Running prolog script
Verifying interfaces: eth0 lo
iptables: No chain/target/match by that name.
Rule 0 (eth0)
iptables: No chain/target/match by that name.
Rule 1 (lo)
Rule 2 (global)
iptables: No chain/target/match by that name.
Rule 3 (global)
Rule 4 (global)
iptables: No chain/target/match by that name.
Rule 5 (global)
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Rule 6 (global)
Rule 7 (global)
iptables: No chain/target/match by that name.
Running epilog script


what iptables understood:
Code:
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.178.23       anywhere             tcp dpt:ssh state NEW,ESTABLISHED
drop_invalid  all  --  anywhere             anywhere             state INVALID
In_RULE_0  all  --  localhost            localhost           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable state NEW
ACCEPT     icmp --  anywhere             anywhere             icmptype 0 code 0 state NEW
ACCEPT     icmp --  anywhere             anywhere             icmp ttl-zero-during-transit state NEW
ACCEPT     icmp --  anywhere             anywhere             icmp ttl-zero-during-reassembly state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW
REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth reject-with icmp-host-unreachable
RULE_7     all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.178.23       tcp spt:ssh state RELATED,ESTABLISHED
drop_invalid  all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain state NEW

Chain In_RULE_0 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain RULE_7 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain drop_invalid (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere


What iptables should get:
https://pastebin.com/4FsZhvTy



The Servers IP begins with "2a02:908:", do you know if this IP is considered public or is it a prefix associated with local IPs?
Back to top
View user's profile Send private message
mtfj
n00b
n00b


Joined: 17 Jun 2012
Posts: 8

PostPosted: Sat Dec 21, 2013 7:13 am    Post subject: Reply with quote

hi, maybe start with ip6tables and ifconfig to see ipv6 address is actually assigned to your NIC?
_________________
Masatsugu FUJINAKA
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21497

PostPosted: Sat Dec 21, 2013 5:24 pm    Post subject: Reply with quote

That script is broken by design. You should never use iptables to bulk load rules. Always use iptables-restore, which can load the entire state atomically.

Similarly, you should never use iptables to produce output when requesting help. Always use iptables-save, which prints the rules in an unambiguous form.

IPv6 is not handled by iptables. For IPv6, use ip6tables.

You are probably missing one or more netfilter features required by that script. You can find which ones by running the script with individual commands printed so that the failed commands will be interspersed with the error messages.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum