[ntp:questions] IPv6 and ip6tables

Xavier Robin geckolimo at gmail.com
Tue Mar 12 15:50:20 UTC 2013

On Monday, March 11, 2013 10:13:28 PM UTC+1, Ivan Shmakov wrote:
> 	I've never seen an issue with such a setup.  The only difference
> 	is that my firewall has also a -j ACCEPT rule for --dport 123 in
> 	the FORWARD chain.  I don't know if it's related, though.

I tried to add ACCEPT rules on the FORWARD chain for port 123, and when nothing changed I switched the policy to ACCEPT. NTP server was still unreachable. Reverted back.

> 	Is there really such an all-permitting rule?

In fact it is for loopback only (-A INPUT -i lo -j ACCEPT) but for some reason -L doesn't show that.

I decided to perform some logging of the dropped packets.

> sudo ip6tables -N LOGGING
> sudo ip6tables -A LOGGING -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
> sudo ip6tables -A LOGGING -j DROP
> sudo ip6tables -A INPUT -i eth0 -j LOGGING

Only a few lines popped up in my log, all of them being PROTO=ICMPv6 TYPE=135 or TYPE=136, that is neighbor advertisements and solicitations. They were not specifically printed at the same time than the NTP request. I tried to allow them nonetheless:

> sudo ip6tables -D INPUT -i eth0 -j LOGGING
> sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
> sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT

Now my NTP server is reachable!

I don't know if it is related with my provider's network architecture (I have a VPS server hosted by gandi.net) or if it is the common behaviour of NTP over IPv6. I should note I've already had ICMPv6-related issues in the past: I had to turn on router-solicitation and router-advertisement to get a global ipv6 address at all. What should be enabled is still a bit arcane to me.

Anyway, everything looks fine now!


More information about the questions mailing list