I’m running
OpenVPN 2.4.0
onUbuntu 17.04
, This setup is working fine and already described herehttps://serverfault.com/q/887243
.The issue comes when i try to load ip6tables rules through the following script. At that point, i’m not able to
ping6 ipv6.google.com
anymore. Also, ipv6 tests through services likehttp://ipv6-test.com/
andhttp://test-ipv6.com/
fail on all ipv6 tests but if i flush all ip6table rules, those tests andping6 ipv6.google.com
succeed. So i think the problem is on the following rules but don’t know where.#!/bin/bash vpn_ipv4="10.8.0.0" vpn_ipv6="2001:xxxx:y:abcd::1" server_ipv4="w.x.y.z" server_ipv6="2001:xxxx:1:zzzz::1" server_if="enp1s0" iptables_cmd="/sbin/ip6tables" #echo "1" > /proc/sys/net/ipv4/ip_forward #echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf #sysctl -w net/ipv4/ip_forward=1 #sysctl sys.net.ipv6.conf.all.forwarding=1 # Flush all rules ip6tables -F FORWARD ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -X #Drop all packets by default #ip6tables -P INPUT DROP #Temporarily remove the previous drop rule #ip6tables -D INPUT -j DROP #Accept all packets by default ip6tables -P INPUT ACCEPT #Allow current active connections ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #Allow Loopback traffic and place this rules #as the very first rule of the INPUT chain. ip6tables -I INPUT 1 -i lo -j ACCEPT #FTP ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT #SSH ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT #SMTP ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT #DNS ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT ip6tables -A INPUT -p udp --dport 53 -j ACCEPT #HTTP ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT #IMAP ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT #HTTPS ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT #SMTPS ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT #Submission ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT #IMAPS ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT #WEB-DAV ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT #OpenVPN #Allow the tcp connection on the openvpn port ip6tables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT #Allow everything from within your VPN #Allow TUN interface connections to OpenVPN server ip6tables -A INPUT -i tun+ -j ACCEPT #Allow TUN interface connections to be forwarded through other interfaces ip6tables -A FORWARD -i tun+ -j ACCEPT ip6tables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT #NAT the VPN client traffic to the Internet. Change the ip address mask #according to your info of tun0 result while running "ifconfig" command. #Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses) #ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::1/64 -o enp1s0 -j MASQUERADE ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::/64 -o enp1s0 -j MASQUERADE #Use SNAT when we know the public ip address (static addresses) #ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6 #OnyiIf default ip6tables OUTPUT value is not ACCEPT #ip6tables -A OUTPUT -o tun+ -j ACCEPT #Allow incoming ICMP PING #https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-6 #ip6tables -p ipv6-icmp -h ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -s 0/0 -d $server_ipv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Logging ip6tables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "ip6tables denied: " --log-level 7 #Drop remaining packets. Only needed if first rule is not drop by default. ip6tables -A INPUT -j DROP
In short, the following is the main OpenVPN config file:
local w.x.y.z port 1194 proto udp proto-force udp dev tun tun-ipv6 ifconfig-ipv6 2001:xxxx:y:abcd::1 2001:xxxx:y:abcd::2 ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 2001:xxxx:y:abcd::/64 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" ;push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6" push "dhcp-option DNS w.x.y.z" push "dhcp-option DNS w1.x1.y1.z1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS nameserver 2001:4860:4860::8888" push "dhcp-option DNS nameserver 2001:4860:4860::8844" push "dhcp-option DOMAIN-SEARCH example.com" push "route-ipv6 2001:xxxx:y:8ade::/64" push "route-ipv6 2000::/3" tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min 1.2 auth SHA512 crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem cipher AES-256-GCM compress lz4 user nobody group nogroup ;client-to-client verify-client-cert require remote-cert-tls client username-as-common-name plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn client-connect /etc/openvpn/scripts/connect.sh client-disconnect /etc/openvpn/scripts/disconnect.sh management /run/openvpn/openvpn.sock unix pw-management-file keepalive 10 120 persist-key persist-tun status /var/log/openvpn/status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 max-clients 5
This is the network interfaces config:
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet w.x.y.z netmask 255.255.255.0 broadcast w.x.y.255 inet6 fe80::xxx:yyyy:zzzz:24f2 prefixlen 64 scopeid 0x20<link> inet6 2001:xxxx:1:zzzz::1 prefixlen 128 scopeid 0x0<global> ether aa:bb:cc:dd:ee:ff txqueuelen 1000 (Ethernet) RX packets 68711957 bytes 17404677376 (17.4 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11570407 bytes 4045695904 (4.0 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xfbce0000-fbd00000 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 7069763 bytes 5800523658 (5.8 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7069763 bytes 5800523658 (5.8 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1 inet6 fe80::xxxx:yyyy:zzzz:e621 prefixlen 64 scopeid 0x20<link> inet6 2001:xxxx:y:abcd::1 prefixlen 64 scopeid 0x0<global> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 17574 bytes 2074557 (2.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16852 bytes 7690971 (7.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Those are the ipv4 iptables rules, which seem to work fine:
#!/bin/bash # https://gist.githubusercontent.com/jirutka/3742890/raw/c9f6bdbfcf597578e562c92ea1e256a9ebcf3a2c/rules-ipv4.iptables hwaddrs=('aa:bb:cc:dd:ee:ff' 'a1:b1:c1:d1:e1:f1') vpn_ipv4="10.8.0.0" server_ipv4="w.x.y.z" server_if="enp1s0" iptables_cmd="/sbin/iptables" #echo "1" > /proc/sys/net/ipv4/ip_forward #echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf #sysctl -w net/ipv4/ip_forward=1 #sysctl sys.net.ipv6.conf.all.forwarding=1 # Flush all rules iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -F SSHBRUTE iptables -F ICMPFLOOD iptables -X # Drop all packets by default #iptables -P INPUT DROP #iptables -P OUTPUT DROP #iptables -P FORWARD DROP # Temporarily remove the previous drop rule #iptables -D INPUT -j DROP # Accept all packets by default iptables -P INPUT ACCEPT # Allow current active connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Block remote packets claiming to be from a loopback address. iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # Drop all packets that are going to broadcast, multicast or anycast address. iptables -A INPUT -m addrtype --dst-type BROADCAST -j DROP iptables -A INPUT -m addrtype --dst-type MULTICAST -j DROP iptables -A INPUT -m addrtype --dst-type ANYCAST -j DROP iptables -A INPUT -d 224.0.0.0/4 -j DROP # Chain for preventing SSH brute-force attacks. # Permits 10 new connections within 5 minutes from a single host then drops # incomming connections from that host. Beyond a burst of 100 connections we # log at up 1 attempt per second to prevent filling of logs. iptables -N SSHBRUTE iptables -A SSHBRUTE -m recent --name SSH --set iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: " iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP iptables -A SSHBRUTE -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. iptables -N ICMPFLOOD iptables -A ICMPFLOOD -m recent --set --name ICMP --rsource iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP iptables -A ICMPFLOOD -j ACCEPT # Allow Loopback traffic and place this rules # as the very first rule of the INPUT chain. iptables -I INPUT 1 -i lo -j ACCEPT #iptables -I OUTPUT 1 -o lo -j ACCEPT # FTP iptables -A INPUT -p tcp --dport 21 -j ACCEPT # SSH for i in "${hwaddrs[@]}" do iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source $i -j ACCEPT done #iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Accept worldwide access to SSH and use SSHBRUTE chain for preventing # brute-force attacks. iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE # SMTP iptables -A INPUT -p tcp --dport 25 -j ACCEPT # DNS iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # IMAP iptables -A INPUT -p tcp --dport 143 -j ACCEPT # HTTPS iptables -A INPUT -p tcp --dport 443 -j ACCEPT # SMTPS iptables -A INPUT -p tcp --dport 465 -j ACCEPT # Submission iptables -A INPUT -p tcp --dport 587 -j ACCEPT # IMAPS iptables -A INPUT -p tcp --dport 993 -j ACCEPT # WEB-DAV iptables -A INPUT -p tcp --dport 8443 -j ACCEPT # OpenVPN # Allow the udp connection on the openvpn port iptables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT # Allow everything from within your VPN # Allow TUN interface connections to OpenVPN server iptables -A INPUT -i tun+ -j ACCEPT # Allow TUN interface connections to be forwarded through other interfaces iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT # Block client-to-client routing on the VPN iptables -A FORWARD -i tun+ -s $vpn_ipv4/24 -d $vpn_ipv4/24 -j DROP # NAT the VPN client traffic to the Internet. Change the ip address mask # according to your info of tun0 result while running "ifconfig" command. # ** Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses) # iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j MASQUERADE # ** Use SNAT when we know the public ip address (static addresses) iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j SNAT --to-source $server_ipv4 # Only if default iptables OUTPUT value is not ACCEPT #iptables -A OUTPUT -o tun+ -j ACCEPT # Permit useful IMCP packet types. # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Allow incoming ICMP PING # The Internet Control Message Protocol (ICMP) has many messages that are identified by # a “type” field. You need to use 0 and 8 ICMP code types. # => Zero (0) is for echo-reply # => Eight (8) is for echo-request. # Help: /sbin/iptables -p icmp -h # https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml #iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $server_ipv4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -p icmp --icmp-type 0 -s $server_ipv4 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Logging iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Do not log late replies from nameservers. #iptables -A INPUT -p udp --sport 53 -j DROP # Good practise is to explicately reject AUTH traffic so that it fails fast. iptables -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset # Prevent DOS by filling log files. iptables -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: " # Drop remaining packets. Only needed if first rule is not drop by default. iptables -A INPUT -j DROP iptables -A FORWARD -j DROP
Answer
By now i replaced ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6
by:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
But i wonder if i do really need to accept all icmpv6 types.
Attribution
Source : Link , Question Author : peris , Answer Author : peris