IPv6 and iptable rules

General support for problems installing or using Deluge
Post Reply
zone4444
Member
Member
Posts: 18
Joined: Wed Aug 11, 2021 12:49 pm

IPv6 and iptable rules

Post by zone4444 »

Hello,

Whenever I flush my ip6tables on Ubuntunu 20.04 then Deluge starts seeding/uploading on IPv6.
As soon as I enable the following IPv6 iptable rules, Deluge becomes unconnectable on IPv6 (it is configured for port 44973) and any seed/peer using IPv6 becomes totally unable to download from me.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 44973 -j ACCEPT
-A INPUT -p udp -m udp --dport 44973 -j ACCEPT
-A INPUT -j DROP
Shwycs
New User
New User
Posts: 1
Joined: Tue Oct 04, 2022 10:04 pm

Re: IPv6 and iptable rules

Post by Shwycs »

Ipv6 needs ad least some icmpv6 rules to work.
https://www.rfc-editor.org/rfc/rfc4890

If i didn't miss any adding the following icmp6 rules should make it work.

# Destination unreachable (type 1)
# Packet too big (type 2)
# Time exceeded (type 3)
# Parameter problem (type 4)
# Echo Request (protect against flood) (type 128)
# Echo Reply (type 129)
## Allow other ICMPv6 types but only if the hop limit field is 255.
# Neighbor Solicitation (type 135)
# Neighbor Advertisement (type 136)

Code: Select all

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

# ---
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
# ----

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 44973 -j ACCEPT
-A INPUT -p udp -m udp --dport 44973 -j ACCEPT
-A INPUT -j DROP
UFW firewall defaults.

Code: Select all

-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
zone4444
Member
Member
Posts: 18
Joined: Wed Aug 11, 2021 12:49 pm

Re: IPv6 and iptable rules

Post by zone4444 »

Shwycs,
Ty for the reply. Will read this as it sounds very interesting and test it when I'm ready.

**Edit: Been testing the rules you suggested (tailored to my specific ports ofc) for the past 24 hours and it all seems to be working fine now.
Post Reply