| View previous topic :: View next topic |
| Author |
Message |
toralf
Developer
Joined: 01 Feb 2004
Posts: 3941
Location: Hamburg
|
 Posted: Wed Mar 16, 2016 2:37 pm Post subject: ipV6 SYN_RECV hang (after BIOS update ?) |
 |
|
Suddenly (tm) the IPv6 at my server won't work anymore. The only change so far is the replacement of the RAM and a BIOS upgrade.
The picture after booting the server is now : | Code: | ms-magpie ~ # netstat -6 -p -W -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 2a01:4f8:190:514a::2:5222 2a01:4f8:0:a101::6:3:43837 SYN_RECV -
tcp6 0 0 5.9.158.75:5222 94.242.246.23:24237 ESTABLISHED 1633/beam
tcp6 0 0 2a01:4f8:190:514a::2:443 2001:638:a000:4140::ffff:189:55898 SYN_RECV -
tcp6 0 0 5.9.158.75:5222 94.242.246.23:44793 ESTABLISHED 1633/beam
tcp6 0 0 5.9.158.75:5269 146.255.57.226:37717 ESTABLISHED 1633/beam
tcp6 0 0 2a01:4f8:190:514a::2:443 2001:858:2:2:aabb:0:563b:1526:54739 SYN_RECV -
tcp6 0 0 5.9.158.75:5269 208.68.163.218:46377 ESTABLISHED 1633/beam
tcp6 0 0 2a01:4f8:190:514a::2:5269 2001:6f8:126f:11::26:37387 ESTABLISHED 1633/beam
tcp6 0 0 2a01:4f8:190:514a::2:443 2a01:4f8:0:a101::6:3:52584 SYN_RECV -
|
No ping6 from outside is possible (I do have a monitor from my ISP which ping6 me every 3 min), no ping6 goes out.
If I comment out the line "$IPT -P INPUT DROP" of my firewall script | Code: | #!/bin/sh
IPT="/sbin/ip6tables"
startFirewall() {
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT --source ::1 -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
$IPT -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
...
|
and restart the firewall then it works.
What's wrong ?
UpdateThis change solved/circumvent it, but why it is now needed ? : | Code: | #$IPT -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
$IPT -A INPUT -p ipv6-icmp -j ACCEPT
|
Last edited by toralf on Sat Mar 19, 2016 6:35 pm; edited 1 time in total |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Thu Mar 17, 2016 3:16 am Post subject: |
|
|
| How does your server get its IPv6 routes configured? |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3941
Location: Hamburg
|
| Posted: Thu Mar 17, 2016 12:53 pm Post subject: |
|
|
| Ant P. wrote: | | How does your server get its IPv6 routes configured? |
| Code: | tfoerste@ms-magpie ~ $ sudo su -
ms-magpie ~ # route -n -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: Un 0 8 20 lo
2a01:4f8:190:514a::2/128 :: Un 0 9924591 lo
2a01:4f8:190:514a::/64 :: U 256 0 0 enp3s0
fe80::3285:a9ff:feed:1cb/128 :: Un 0 1 0 lo
fe80::/64 :: U 256 0 0 enp3s0
ff00::/8 :: U 256 0 0 enp3s0
::/0 fe80::1 UG 2 8917516 enp3s0
::/0 :: !n -1 1 25 lo
ms-magpie ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 5.9.158.65 0.0.0.0 UG 2 0 0 enp3s0
5.9.158.64 0.0.0.0 255.255.255.224 U 0 0 0 enp3s0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
ms-magpie ~ # cat /etc/conf.d/net
config_enp3s0="5.9.158.75/27
2a01:4f8:190:514a::2/64
"
routes_enp3s0="default via 5.9.158.65
default via fe80::1
"
# prefer IPv6
#
dns_servers_enp3s0="127.0.0.1 2a01:4f8:0:a0a1::add:1010 2a01:4f8:0:a102::add:9999 2a01:4f8:0:a111::add:9898 213.133.98.98 213.133.99.99 213.133.100.100"
dns_domain_enp3s0="zwiebeltoralf.de"
|
|
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Mar 18, 2016 3:17 am Post subject: |
|
|
| Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it. |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3941
Location: Hamburg
|
| Posted: Fri Mar 18, 2016 9:01 am Post subject: |
|
|
| Ant P. wrote: | | Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it. |
Thx Ant - but the question remains, why this don't work anow - worked here since 3/4 year. I tested older kernels too - the BIOS upgrade seems to be the trigger ...
Update
FWIW, looking into https://www.cert.org/downloads/IPv6/ip6table_rules.txt and allow 2 more ICMPv6 types makes it instead open it for all: | Code: | $IPT -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
# Allow some other types in the INPUT chain, but rate limit.
#
$IPT -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/min -j ACCEPT
$IPT -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -j ACCEPT
# Allow others ICMPv6 types but only if the hop limit field is 255.
#
$IPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
|
And what's worth to mention: with the old config a ping6 from the server out to another works fine till a ping6 arrived from outside (usually from the monitoring solution of by AS). From that point in time the ping6 from the server to the remote lost 100% of it packages. |
|
| Back to top |
|
|
Duncan Mac Leod
Guru
Joined: 02 May 2004
Posts: 314
Location: Germany
|
| Posted: Sun Mar 20, 2016 5:45 pm Post subject: |
|
|
Today I had IPv6 trouble, too!
I did not change anything for weeks.
I noticed that I could not ping anything, even the default gateway. A reboot solved the problem, for now...
Never had this before! Using gentoo-sources -> 4.1.15-gentoo-r1
Anyone else with IPv6 problems recently? |
|
| Back to top |
|
|
|
Networking & Security
