[ntp:questions] IPv6 and ip6tables
geckolimo at gmail.com
Tue Mar 12 15:50:20 UTC 2013
On Monday, March 11, 2013 10:13:28 PM UTC+1, Ivan Shmakov wrote:
> I've never seen an issue with such a setup. The only difference
> is that my firewall has also a -j ACCEPT rule for --dport 123 in
> the FORWARD chain. I don't know if it's related, though.
I tried to add ACCEPT rules on the FORWARD chain for port 123, and when nothing changed I switched the policy to ACCEPT. NTP server was still unreachable. Reverted back.
> Is there really such an all-permitting rule?
In fact it is for loopback only (-A INPUT -i lo -j ACCEPT) but for some reason -L doesn't show that.
I decided to perform some logging of the dropped packets.
> sudo ip6tables -N LOGGING
> sudo ip6tables -A LOGGING -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
> sudo ip6tables -A LOGGING -j DROP
> sudo ip6tables -A INPUT -i eth0 -j LOGGING
Only a few lines popped up in my log, all of them being PROTO=ICMPv6 TYPE=135 or TYPE=136, that is neighbor advertisements and solicitations. They were not specifically printed at the same time than the NTP request. I tried to allow them nonetheless:
> sudo ip6tables -D INPUT -i eth0 -j LOGGING
> sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
> sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
Now my NTP server is reachable!
I don't know if it is related with my provider's network architecture (I have a VPS server hosted by gandi.net) or if it is the common behaviour of NTP over IPv6. I should note I've already had ICMPv6-related issues in the past: I had to turn on router-solicitation and router-advertisement to get a global ipv6 address at all. What should be enabled is still a bit arcane to me.
Anyway, everything looks fine now!
More information about the questions