Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iproute2 (ss tool) shows too much traffic from ipv6??
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 225

PostPosted: Sun Jul 03, 2016 10:09 pm    Post subject: iproute2 (ss tool) shows too much traffic from ipv6?? Reply with quote

Hi,

I've configured my Gentoo server to support ipv6 as I figured it's the unavoidable future.
However, I'm getting some weird results currently (now that it's up and running) and I'd like to temporarily disable ipv6 entirely. Just to examine things further...

A) Is there a way to switch ipv6 on and off without completely removing it from the kernel and use flags?
B) Here's what I'm getting with iproute2:

Code:
ss -s
Total: 5584 (kernel 5593)
TCP:   13886 (estab 2571, closed 8179, orphaned 52, synrecv 0, timewait 8177/0), ports 128

Transport Total     IP        IPv6
*         5593      -         -       
RAW       1         0         1       
UDP       1         1         0       
TCP       5707      4         5703     
INET      5709      5         5704     
FRAG      0         0         0 


As you can see, this make no sense. Furthermore my traffic stats imply that there isn't that much traffic from ipv6 or at all.
BTW, I tried disabling it through ip6tables but iproute2 still shows same stats O.o ?

Code:
 ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP


Advice or suggestions would be highly welcome
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun Jul 03, 2016 11:09 pm    Post subject: Reply with quote

jhon987 ...

one or other of the following should work ...

/etc/modprobe.d/aliases.conf:
alias net-pf-10 off

/etc/sysctl.conf:
net.ipv6.conf.default.disable_ipv6=1
# or
net.ipv6.conf.<interface_name>.disable_ipv6=1

/etc/conf.d/net:
enable_ipv6_<interface_name>="false"

HTH & best ... khay
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5589

PostPosted: Sun Jul 03, 2016 11:30 pm    Post subject: Reply with quote

What does ss -6ntp say? Is it all outgoing or incoming connections?
Back to top
View user's profile Send private message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 225

PostPosted: Mon Jul 04, 2016 5:53 am    Post subject: Reply with quote

Ant P. wrote:
What does ss -6ntp say? Is it all outgoing or incoming connections?


It gives a very long list, here's part of it: (1.1.1.1 = my secret domain ;) )
Code:
users:(("apache2",pid=5995,fd=168))
ESTAB      315    0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:71.162.82.54:37545             
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:99.56.103.118:39921               users:(("apache2",pid=17588,fd=48))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:73.224.162.57:43609               users:(("apache2",pid=11597,fd=131))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:45.51.208.64:44564             
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:99.245.37.132:46575               users:(("apache2",pid=24001,fd=92))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:45.49.120.237:35576             
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                    ::ffff:100.33.156.119:44468               users:(("apache2",pid=22816,fd=31))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:172.97.231.89:52838               users:(("apache2",pid=3337,fd=38))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:24.89.110.149:44231             
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:49.194.3.221:56124               users:(("apache2",pid=4442,fd=142))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:24.54.87.237:37129               users:(("apache2",pid=11597,fd=163))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:67.83.114.84:49638               users:(("apache2",pid=13726,fd=33))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:99.240.125.44:38150               users:(("apache2",pid=3386,fd=54))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                   ::ffff:209.195.124.121:54165               users:(("apache2",pid=5995,fd=88))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                    ::ffff:68.116.199.184:45026               users:(("apache2",pid=27532,fd=71))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:99.129.45.65:49747               users:(("apache2",pid=17588,fd=133))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                   ::ffff:184.144.117.168:54283               users:(("apache2",pid=25864,fd=71))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:73.229.9.107:47902               users:(("apache2",pid=2915,fd=18))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                      ::ffff:100.4.193.29:56417               users:(("apache2",pid=2708,fd=32))
ESTAB      0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:174.75.117.60:35691               users:(("apache2",pid=4442,fd=120))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                    ::ffff:68.187.204.190:48204               users:(("apache2",pid=1450,fd=75))
FIN-WAIT-2 0      0                                                         ::ffff:1.1.1.1:80                                                                     ::ffff:86.30.210.122:44600


khayyam wrote:
/etc/sysctl.conf:
Code:
net.ipv6.conf.default.disable_ipv6=1
# or
net.ipv6.conf.<interface_name>.disable_ipv6=1


Well, that's weird again. I used the above, rebooted - since sysctl -p /etc/sysctl.conf nor sysctl net.ipv6.conf.default.disable_ipv6=1 / net.ipv6.conf.all.disable_ipv6 = 1 seemed to cause any change.
Then, upon reboot, here's what I get:

Code:
ss -s
Total: 5904 (kernel 5927)
TCP:   14206 (estab 2930, closed 8191, orphaned 25, synrecv 0, timewait 8191/0), ports 128

Transport Total     IP        IPv6
*         5927      -         -       
RAW       1         0         1       
UDP       1         1         0       
TCP       6015      6014      1       
INET      6017      6015      2       
FRAG      0         0         0


All the "pseudo" traffic appears to have gone into ipv4 !?

Can someone explain this?
Back to top
View user's profile Send private message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 225

PostPosted: Mon Jul 04, 2016 7:14 am    Post subject: Reply with quote

Good news! I found the cause of the seemingly high numbers thanks to your help guys.
It was caused by a bad apache redirection I've created -> shame on me :(

However, one thing still isn't clear to me - how did all these legit visitors appeared to be using ipv6 with iproute2 tool, but then, once blocked, all have transformed into ipv4 ?

BTW, here's how the normal accesses status looks like with iproute2 now:

Code:
ss -s
Total: 196 (kernel 282)
TCP:   601 (estab 94, closed 355, orphaned 93, synrecv 0, timewait 355/0), ports 128

Transport Total     IP        IPv6
*         282       -         -       
RAW       1         0         1       
UDP       1         1         0       
TCP       246       245       1       
INET      248       246       2       
FRAG      0         0         0
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5589

PostPosted: Mon Jul 04, 2016 1:16 pm    Post subject: Reply with quote

Browsers are designed to retry over IPv4 if an IPv6 connection goes flaky for any reason. That seems consistent with what happened there.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum