Why is this IP6tables configuration blocking IPv6 traffic?

Houman asked:

I’m not experienced with IPv6 and am running into a strange situation where I can’t get the current IPv6 by running this curl command: curl -6 ifconfig.io

It’s stuck. This indicates that the firewall is blocking it.

But what is here in my iptables that is blocking IPv6?

# Generated by ip6tables-save v1.8.4 on Sat Dec  5 22:29:34 2020
*filter
:INPUT DROP [6935:499284]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7153:517764]
:OUTGOING - [0:0]
:PRIVATE_ADDRS_FILTER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -j PRIVATE_ADDRS_FILTER
-A OUTGOING -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCANv6 -j ACCEPT
-A PRIVATE_ADDRS_FILTER -d fc00::/7 -j DROP
-A PRIVATE_ADDRS_FILTER -d fe80::/10 -j DROP
COMMIT
# Completed on Sat Dec  5 22:29:34 2020
# Generated by ip6tables-save v1.8.4 on Sat Dec  5 22:29:34 2020
*nat
:PREROUTING ACCEPT [22197:4322614]
:INPUT ACCEPT [4:784]
:OUTPUT ACCEPT [16:1296]
:POSTROUTING ACCEPT [16:1296]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
COMMIT
# Completed on Sat Dec  5 22:29:34 2020
# Generated by ip6tables-save v1.8.4 on Sat Dec  5 22:29:34 2020
*mangle
:PREROUTING ACCEPT [29146:4825050]
:INPUT ACCEPT [6956:503400]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7153:517764]
:POSTROUTING ACCEPT [7153:517764]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Sat Dec  5 22:29:34 2020

Maybe the issue is with the PRIVATE_ADDRS_FILTER chain? The one I have defined above is supposed to reflect this in IPv4.

iptables -A PRIVATE_ADDRS_FILTER -d 10.0.0.0/8 -j DROP
iptables -A PRIVATE_ADDRS_FILTER -d 172.16.0.0/12 -j DROP
iptables -A PRIVATE_ADDRS_FILTER -d 192.168.0.0/16 -j DROP

Other than that I can’t think of anything. Any ideas please?

My answer:


You should just get rid of that entire PRIVATE_ADDRS_FILTER chain. It is blocking traffic to legitimate addresses, including most likely your default gateway.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.