-1

I'm running a webserver (nginx 1.21.6) on a Debian 11 system with nftables 0.9.8. My nftables configuration is:

table inet filter {
chain input {
  type filter hook input priority filter; policy drop;
            ip saddr @spamhaus4 counter packets 0 bytes 0 drop
            ip6 saddr @spamhaus6 counter packets 0 bytes 0 drop
            meta l4proto tcp meta nfproto ipv4 ip saddr @abused counter packets 0 bytes 0 drop
            ip daddr 46.38.148.0-46.38.151.255 drop
            iif "lo" log group 2 accept
            iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            ct state established,related log group 2 accept
            ct state invalid counter packets 47 bytes 2572 drop
            tcp dport { 25, 80, 143, 443, 587, 2772, 9980, 45907 } log group 2 accept
            ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } log group 2 accept
            ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } log group 2 accept
            ip6 nexthdr ipv6-icmp log group 2 accept
            counter packets 2686 bytes 421604 drop
    }

    chain IPSinput {
            type filter hook input priority filter + 10; policy drop;
            counter packets 88448 bytes 15799025 queue num 0-3 bypass,fanout
    }

    chain forward {
            type filter hook forward priority filter; policy drop;
    }

    chain output {
            type filter hook output priority filter; policy accept;
    }

    chain IPSoutput {
            type filter hook output priority filter + 10; policy drop;
            counter packets 76196 bytes 201278628 queue num 0-3 bypass,fanout
    }
   }

The nftables firewall works fine.

However, my nginx server(s) are not reachable via IPv6. I have used different IPv6 checking tools (e.g., https://ipv6-test.com/validate.php) and also Qualys ssltest cannot access the server via IPv6, IPv4 is working fine however. I have included the listen [::]:80;(resp. listen [::]:443;directive in each of my nginx servers. And netstat -anlp |grep nginx gives

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 192.168.42.98:443       93.104.163.178:39001    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:39368    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:43086    VERBUNDEN   48847/nginx: worker
tcp6       0      0 :::80                   :::*                    LISTEN      48846/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160451   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160453   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160450   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160448   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160452   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160446   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160449   48846/nginx: master

On my router, I have activated IPv6 too.

Do anyone have any ideas where the issue could be?

phonon112358
  • 49
  • 1
  • 8
  • If you run `tcpdump -n ip6` and attempt to connect via IPv6 do you see anything? Can you ping the host's IPv6 address? – Zoredache Apr 04 '22 at 02:13
  • is the router located at your home? – djdomi Apr 04 '22 at 05:56
  • IPSinput/IPSoutput is for testing right? nobody knows what happens there. Beside about ICMPv6 handling, check `man nft` at the part with the words "Caution when using ip6 nexthdr": if some ICMPv6 packets have additional headers, they get dropped with your current ruleset. – A.B Apr 04 '22 at 08:23
  • Thank you all for the comments! ;) These helped me very much in troubleshooting! – phonon112358 Apr 04 '22 at 23:11

1 Answers1

0

Thanks to @Zoredache's comment to my question, I have tried to ping my host's IPv6 address. It only worked inside my home network. When I tried to ping it via subnetOnline or another site, it didn't work.

I then found this answer in unix.stackoverflow.com: https://unix.stackexchange.com/a/443380/520989 . I edited the /etc/dhcpcd.conf file and replaced slaac privatewith slaac hwaddr. Making my router (Fritzbox 7583) forgetting about the previous configuration and rebooting my server, did indeed solve my problem! My server is now completely reachable via IPv6 (also nginx)!

phonon112358
  • 49
  • 1
  • 8