ipv6 iptables help

snixel · June 3, 2019 at 9:51 AM

Greetings all,

I hope some of the experts here can shed some light on this mystery i'm facing.

I'm running a webservice (https) on my libreelec machine through default TCP port 443. I have a dual stack ipv4/ipv6 internet connection. I have forwarded port 443 in my network firewall and all has been working flawless for both ipv4 and ipv6.

Now, since the release of LE 9 there is a basic firewall introduced. So I thought I'll have a play with it. I copied over the standard 'home' rules for both ipv4 and ipv6 and placed them in the appropriate file in (/storage/.config/iptables/rules.v4 and rules.v6).

I added one line in the rules to open up TCP port 443. Below you can see my rules.v4 file for ipv4 with the added line (--dport 443)

Code

# Completed on Thu May 30 22:42:56 2019
# Generated by iptables-save v1.8.2 on Thu May 30 22:42:56 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [146:18063]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp-port-unreachable
COMMIT

Display More

This works perfectly. Hower, I cannot - for the life of me - get this same line to work with ipv6.

Below you can see my rules.v6 file with the same rule I've added to open up port 443 (which is basically the same file, except saved with ip6tables instead op iptables):

Code

# Completed on Thu May 30 22:42:03 2019
# Generated by ip6tables-save v1.8.2 on Thu May 30 22:42:03 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [72:7296]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s fc00::/7 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Thu May 30 22:42:03 2019

Display More

This however, does not work. If I reboot the machine i can see both rules get applied correctly with iptables -L and ip6tables -L, but only on ipv4 the port is open, while on ipv6 port 443 stays closed.

When I turn off the firewall in LE settings the port suddenly opens up for both ipv4 and ipv6, so there must be something wrong with the ipv6 rules, I just can't seem to figure out what it is.

I always thought basic iptable rules or the same for both ipv4 and ipv6

Can someone please be so kind and tell me where i'm failing here?

**vpeter** · June 3, 2019 at 6:47 PM

Can you post both outputs of iptables -L and ip6tables -L to compare?

snixel · June 4, 2019 at 2:25 PM

They look exactly the same.

iptables -L output:

Code

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:443
private-subnets  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination
private-subnets  all  --  anywhere             anywhere

Chain private-subnets (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Display More

ip6tables -L output:

Code

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp      anywhere             anywhere             ctstate NEW
ACCEPT     tcp      anywhere             anywhere             tcp dpt:443
private-subnets  all      anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination
private-subnets  all      anywhere             anywhere

Chain private-subnets (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

Display More

In LE settings the firewall is set to 'custom' and I'm using a static ipv6 address within the prefix provided from my ISP.

What's so strange is that when I turn off the firewall in settings the port suddenly opens for ipv6. So my guess is it has to be related to the rules.

And what's even stranger is that it actually works for ipv4. When I remove the line in rules.v4 for example the port closes as expected.

**vpeter** · June 4, 2019 at 8:29 PM

Try adding this two rules (first one is for dhcp, second one is for icmp):

Code

-A INPUT -p udp -m udp --dport 546 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT

Or find some working script on Internet to see if your commands are missing something else.

snixel · June 5, 2019 at 7:47 PM

haha, thanks a million vpeter!!!!!

reading your post I thought you could be on to something with the icmp part. Since I noticed I couldn't ping the machine using its static ipv6 address nor on it's link-local ipv6 address with the firewall enabled. So I added the INPUT line to accept icmp packets and voila, port 443 shows up on ipv6 aswell

I also read this part about ipv6 using NDP instead of ARP and SLAAC both using icmp packets to work correctly on shouldiblockicmp.com:

Should I block ICMP?

I guess this is also the reason why me and corbosman couldn't get SLAAC to work with LE from within the GUI. We probably both had the firewall set to 'home' blocking icmp and therefor SLAAC did not work as it should.

ipv6 not working

I don't know if you are the guy that implemented the firewall in LE (you seem to know your network stuff), but maybe this could be added in a future release for the few people out there using ipv6. SLAAC is the most common ipv6 implementation provided by ISP's for home connections, so this could be very useful.

Thanks so much for you expertise, this was really helpful!

**vpeter** · June 6, 2019 at 7:57 AM

No, it was not me who implemented fw in le.

You can open a ticket here if you want: Ticket System - LibreELEC Forum

snixel · June 7, 2019 at 12:45 PM

Thx, I'll open up a ticket.

I did some more testing yesterday and found one more odd thing. When I completely disable the firewall in settings only port 443 and port 8080 (kodi web interface) show up on my local LAN for ipv6, while on ipv4 there or more services visible with the firewall disabled (port 80 for example were I run marachino as HTPC front end);

Does this mean that those applications don't have support for ipv6?

**vpeter** · June 7, 2019 at 1:11 PM

Quote from snixel

Does this mean that those applications don't have support for ipv6?

Probably. You can check that in source code. Or maybe ipv6 is disabled on start and only ipv4 is used.