My nftables rules blocks IPv6

Question

My nftables.conf simply runs flush ruleset then includes my firewall rules. I’ve copied them from the Arch wiki. So the included firewall.rules contains:

# An iptables-like firewall

table firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmp type echo-request accept

    # open tcp ports
    tcp dport {http, https, ...} accept

    # open udp ports
    udp dport {...} accept

    # drop everything else
    drop
  }
}

table ip6 firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept

    # open tcp ports
    tcp dport {http, https, ....} accept

    # open udp ports
    udp dport {...} accept

    # drop everything else
    drop
  }
}

So when everything is loaded I can’t use IPv6, ping6 errors with

From ams16s21-in-x0e.1e100.net icmp_seq=1 Destination unreachable: Address unreachable

However, if I run sudo nft flush table ip6 firewall, ping6 immediately starts working as expected. If I then re-establish the ip6 firewall table, IPv6 connectivity doesn’t fail immediately, but waiting a few minutes I find the ping6 command returning the aforementioned error.

My hosting provider doesn’t provide any IPv6 auto-configuration or router-advertisements at the network level fwiw.

Anyone seen anything like this before?

Your ICMPv6 allow is much too restrictive. In addition to not allowing neighbor advertisement, you're also missing other things that will cause subtle breakage. It's best to allow all ICMPv6 unless you _really_ know what you're doing. — Michael Hampton, Sep 06 '16 at 02:33

score 3 · Accepted Answer · answered Sep 05 '16 at 12:53

3

IPv6 connectivity doesn’t fail immediately, but waiting a few minutes I find the ping6 command returning the aforementioned error.

I would guess you have broken neigbour discovery. Initially things keep working because you already have things in the neighbour discovery cache but later the entries time out.

You appear to be allowing neighbour solicit messages but not neighbour advertisement messages.

answered Sep 05 '16 at 12:53

Peter Green

4,211
12
30

adding `nd-neighbor-advert` seems to have worked – Jonny Barnes Sep 05 '16 at 13:35

score 2 · Answer 2 · answered Sep 05 '16 at 13:15

You are dropping too many ICMPv6 types. Most error messages should be allowed in because of the state established,related, but you are dropping Neighbor Advertisements and Router Advertisements. Try this one:

icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,
             nd-router-advert,mld-listener-query} accept

It will allow unsolicited NA and RA in, which will probably fix your problem.

If you want to make sure that error messages also get through (I didn't test if state established,related does actually work for all ICMPv6 error messages) then also add those:

icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,
             nd-router-advert,mld-listener-query,destination-unreachable,
             packet-too-big,time-exceeded,parameter-problem} accept

Shouldn't be necessary, but just in case :) Dropping ICMPv6 error messages will cause severe delays or even blocked connections, so better avoid that :)

My nftables rules blocks IPv6

2 Answers2