I don't know if I like IPv6. But IPv4 seems to be on it's way out. Say goodbye to your hard typed addresses and simplicity while creating your simple network between two machines. It's the time for the bigger numbers. On what comes to possible combinations, IPv6 is not joking arround, giving enough addresses to everyone who can possibly want one through the entire universe (well, perhaps it'll run out when we reach other galaxies, but it's fine).
My network is horribly configured, mainly due to a lack of adequate equipment. So, I can't really control RA/SLAAC/Autoconf address allocation for my own damn network. So, there's some bodges I made in order to get my local DNS names working (Y'know, I'd very much hate to have my potato.lan
address checked against the ISP's DNS, for it doesn't know what it is). But it works… kinda.
There were a time when I recycled iptables rules from my VPS to use on my desktop. And, all of sudden, IPv6 stopped working. It wasn't even capable of obtaining an address. Turns out there were some obscure ICMP rule blocking things from comunicating with the router and network neighboors.
IPv6 seems to rely a lot on ICMP packages[1], what means that it basically chats to routers and neighboors over “ping” (there's more to ICMP than just echo, though in IPv4 it doesn't matter much). So, when designing your IPv6 rules, be mindful of this:
I had a rather complicated line that worked on my VPS, but didn't work on my desktop:
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT
Basically speaking, it allowed for ICPM type 128, i.e. “echo request” (cf. [2]), but nothing more.
So, I rewrote it to:
-A INPUT -p ipv6-icmp -m limit --limit 6/sec --limit-burst 6 -j ACCEPT
Then it worked. I do not know if it's an ideal situation, because it's still limiting ICMP/s. Maybe I should not limit it. Let's see…
At last, my rules.v6 (I'm using iptables-persistent
here) reads as this:
# Generated by ip6tables-save v1.6.0 on Sat Jun 23 23:44:27 2018 *raw :PREROUTING ACCEPT [983416:468327610] :OUTPUT ACCEPT [1016721:277909648] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [304:43786] :TCP - [0:0] :UDP - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p ipv6-icmp -m limit --limit 6/sec --limit-burst 6 -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp6-reject-route -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT COMMIT # Completed on Sat Jun 23 23:44:27 2018 # Generated by ip6tables-save v1.6.0 on Sat Jun 23 23:44:27 2018 *mangle :PREROUTING ACCEPT [983416:468327610] :INPUT ACCEPT [983416:468327610] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1016722:277909756] :POSTROUTING ACCEPT [1016722:277909756] COMMIT