ip6tables drop connections after request on port 80

Question

I have little problem with my Ip6tables. When i apply rules bellow, so everything is fine. After I try http via webpage, all ok. After I will return to SSH try and ssh is disonnected and browser dont reply via ipv6 after. When I stop ip6table, everything is fine again. Please can you help me?

     ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     any     anywhere             anywhere
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-request limit: avg 15/sec burst 5
    0     0 DROP       tcp      any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    7   612 ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ftp state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ssh state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:smtp state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:http state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:https state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpts:30000:31000 state NEW
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp type 8
    0     0 REJECT     all      any    any     anywhere             anywhere            reject-with icmp6-adm-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      any    lo      anywhere             anywhere
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-reply limit: avg 15/sec burst 5

Answer 1

I'm not sure what the cause of the problem is, I need to see some traffic dumps, but your rule set looks odd. What is this for an ICMP type 8 that you accept? Anyway, you must accept certain ICMPv6 messages. See RFC 4890 on how to filter ICMPv6 properly.

Answer 2

It's though to know just by looking at the rules what happens and why. My impression is that rule 3 is not doing what you expect it (to drop every packet that creates new conntrack entry but has RST, ACK or FIN flags set, or SYN flag unset).

To debug it further I propose you add -j LOG tragets before rule number 3 and before final reject in your INPUT chain.

iptables -I INPUT 3 -p tcp --tcp-flags ! FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG

and

iptables -I INPUT 12 -j LOG --log-prefix "final reject"

LOG is a "non-terminating target", i.e. rule traversal continues at the next rule.