IP6tables blocks INPUT? can't connect with youtube API

Posted by klaas on Server Fault See other posts from Server Fault or by klaas
Published on 2012-08-31T08:09:35Z Indexed on 2012/08/31 9:40 UTC
Read the original article Hit count: 577

Filed under:

iptables

|

IPv6

I thought to have a simple ipv6 firewall, but it turned out to be hell. Somehow I really can't connect with any ipv6 from my machine unless I set INPUT Policy to ACCEPT. Below my current ip6tables

ip6tables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:http
ACCEPT     tcp      anywhere             anywhere           tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I try to connect with any ipv6 adres it doesn't work?

telnet gdata.youtube.com 80
Trying 2a00:1450:4013:c00::76...

OR

telnet gdata.youtube.com 443
Trying 2a00:1450:4013:c00::76...

When I set:

ip6tables -P INPUT ACCEPT

It works.. but then.. well then everything is open? what is going on? Help?

© Server Fault or respective owner

Related posts about iptables

Sometimes this script fails to update the iptables

as seen on Server Fault - Search for 'Server Fault'
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error. The iptables is structured as look-up tree (long repeated sections snipped): #!/bin/sh iptables -t… >>> More
My current iptable configuration doesn't work [on hold]

as seen on Server Fault - Search for 'Server Fault'
sudo chkconfig iptables off /etc/init.d/iptables on ### Clear/flush iptables sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT ### Allow SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables… >>> More
L2TP iptables port forward

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm setting up port forwarding for an L2TP VPN connection to the local Windows 2003 VPN server. The router is a simpel Debian machine with iptables. The VPN server works perfect. But I cannot log in from the WAN. I'm missing something. The VPN server is using a pre-shared key (L2TP) and… >>> More
iptables -P FORWARD DROP makes port forwarding slow

as seen on Server Fault - Search for 'Server Fault'
I have three computers, linked like this: box1 (ubuntu) box2 router & gateway (debian) box3 (opensuse) [10.0.1.1] ---- [10.0.1.18,10.0.2.18,10.0.3.18] ---- [10.0.3.15] | box4, www [10.0.2.1] Among other… >>> More
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

as seen on Server Fault - Search for 'Server Fault'
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables… >>> More

Related posts about IPv6

IPV6 auto configuration not working

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
In Windows 7, my computer can automatically get a IPV6 global address and use IPV6 network, but in Ubuntu Natty, I can't find out how to let stateless configuration work. My network is a university campus network,so I don't need tunnels. I think if one thing can silently and successfully be accomplished… >>> More
Fritz!Box IPv6-Address different than IPv6-Prefix

as seen on Server Fault - Search for 'Server Fault'
In my Fritzbox it states the following: IPv6-Adresse: 2a02:8070:600::14b6:c7******, Gültigkeit: 100465/86065s IPv6-Präfix: 2a02:8070:62c:3200::/56, Gültigkeit: 100464/86064s I am not able to connect to IPv6 Addresses from computers configured by the fritzbox, because they get an address with prefix… >>> More
Static IPv6 address advertising and IPv6 autoconfig in Debian/Ubuntu

as seen on Server Fault - Search for 'Server Fault'
I have a network that advertises IPv6 addresses through IPv6 autoconfig. To allow DNS lookups and to have fancy IP addresses, we setup "static" IPv6 addresses through /etc/network/interfaces: auto eth0 iface eth0 inet dhcp iface eth0 inet6 static address a:b:c:d:e::f netmask 64 Whenever… >>> More
HTG Explains: Are You Using IPv6 Yet? Should You Even Care?

as seen on How to geek - Search for 'How to geek'
IPv6 is extremely important for the long-term health of the Internet. But is your Internet service provider providing IPv6 connectivity yet? Does your home network support it? Should you even care if you’re using IPv6 yet? Switching from IPv4 to IPv6 will give the Internet a much larger pool… >>> More
Debian, 6rd tunnel, and connection troubles

as seen on Server Fault - Search for 'Server Fault'
Long story short I am having issues with IPv6 using a 6rd tunnel with my ISP, charter business. They offer a 6rd tunnel that I think I have properly set up, but the server doesn’t reply to every ipv6 request. When the server has the network interfaces idle with no traffic for about 10 minutes, then… >>> More