Hello,
Whenever I flush my ip6tables on Ubuntunu 20.04 then Deluge starts seeding/uploading on IPv6.
As soon as I enable the following IPv6 iptable rules, Deluge becomes unconnectable on IPv6 (it is configured for port 44973) and any seed/peer using IPv6 becomes totally unable to download from me.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 44973 -j ACCEPT
-A INPUT -p udp -m udp --dport 44973 -j ACCEPT
-A INPUT -j DROP
IPv6 and iptable rules
Re: IPv6 and iptable rules
Ipv6 needs ad least some icmpv6 rules to work.
https://www.rfc-editor.org/rfc/rfc4890
If i didn't miss any adding the following icmp6 rules should make it work.
# Destination unreachable (type 1)
# Packet too big (type 2)
# Time exceeded (type 3)
# Parameter problem (type 4)
# Echo Request (protect against flood) (type 128)
# Echo Reply (type 129)
## Allow other ICMPv6 types but only if the hop limit field is 255.
# Neighbor Solicitation (type 135)
# Neighbor Advertisement (type 136)
UFW firewall defaults.
https://www.rfc-editor.org/rfc/rfc4890
If i didn't miss any adding the following icmp6 rules should make it work.
# Destination unreachable (type 1)
# Packet too big (type 2)
# Time exceeded (type 3)
# Parameter problem (type 4)
# Echo Request (protect against flood) (type 128)
# Echo Reply (type 129)
## Allow other ICMPv6 types but only if the hop limit field is 255.
# Neighbor Solicitation (type 135)
# Neighbor Advertisement (type 136)
Code: Select all
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
# ---
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -j REJECT --reject-with icmp6-port-unreachable
# ----
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 44973 -j ACCEPT
-A INPUT -p udp -m udp --dport 44973 -j ACCEPT
-A INPUT -j DROP
Code: Select all
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT
Re: IPv6 and iptable rules
Shwycs,
Ty for the reply. Will read this as it sounds very interesting and test it when I'm ready.
**Edit: Been testing the rules you suggested (tailored to my specific ports ofc) for the past 24 hours and it all seems to be working fine now.
Ty for the reply. Will read this as it sounds very interesting and test it when I'm ready.
**Edit: Been testing the rules you suggested (tailored to my specific ports ofc) for the past 24 hours and it all seems to be working fine now.