ip6tables forward chain filters all ports

el5yeli asked:

Trying the following on a centos 6 node (running openvz kernel)

ip6tables -F
ip6tables -X
ip6tables -P FORWARD DROP
ip6tables -A FORWARD -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A FORWARD -p udp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT

However, this seems to disable ipv6 connectivity from the openvz VPS outwards to the node, or the internet, and on a port scanner it shows all ports as filtered/blocked by firewall.

However, pinging the vps from within the node to the VPS works fine.

All that I am trying to do is to drop all forward, and accept the multiple ports shown above, and allow ipv6 connectivity to pass through.

It is definitely an ip6tables issue, as when I stop ip6tables, it runs fine and pinging is absolutely okay.

Your help is appreciated.

My answer:

The problem is that your firewall is not stateful, and it only allowed traffic to pass in one direction. There is nothing here to allow return traffic. So, while a client request is passed through, the response from the server doesn’t match any rules and is dropped.

Write instead normal stateful rules. For example:

-A FORWARD -m conntrack --ctstate NEW -m tcp -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT

The second rule allows the initial connection attempt, and the first rule allows all of the rest of the traffic, as long as the connection remains open. It is first because it will match most frequently, and having it first makes things faster.

Your ICMP rule is fine and should be left as-is.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.