Issue Plesk disables incoming and outgoing IPv6 after a while

[Attackwave]

Hi,

i have a strange problem with IPv6. Two IPv4 and two IPv6 addresses are active on my server. Access via IPv4 works without any problems. IPv6 works once and after a short time incoming and outgoing traffic is blocked. If the firewall is deactivated and reactivated, the game starts all over again (about 10min).

Do you have a clue where I can look for the problem?

Greets
Attackwave

Ubuntu 20.04
Plesk Osidian 18.0.34
fail2ban

 

[Attackwave]

It seems it happens every 30min. Maybe a router advertisement problem?

In my netplan config, dhcp6 and accept-ra is set to false.

net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.enp5s0f0.accept_ra=0
net.ipv6.conf.enp5s0f0.autoconf=0
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.enp5s0f1.disable_ipv6=1

network:
  version: 2
  renderer: networkd
  ethernets:
    lo:
      routes:
        - to: "xxxx:xxxx:xxxx:xxxx::/56"
          scope: link
    enp5s0f0:
      dhcp4: false
      dhcp6: false
      accept-ra: false
      addresses:
        - xx.xxx.xxx.xxx/32
        - xx.xxx.xx.xxx/32
        - "xxxx:xxx:xxxx:xxxx:xx:xxxx:xxx:xxx/128"
        - "xxxx:xxx:xxxx:xxxx:xx:xxxx:xxx:xxx/128"

      nameservers:
        addresses:
...

 

[Bitpalast]

Maybe the incoming IPv6 address is being blocked in iptables/Fail2Ban?

 

[Attackwave]

Maybe the incoming IPv6 address is being blocked in iptables/Fail2Ban?

IPv6 ist blocked incoming and outgoing. IPv6 routes still ok and the same after blocking.

Firewall off/on and IPv6 works again for 30min.

 

[Bitpalast]

Firewall off/on and IPv6 works again for 30min.

Which firewall are you using?
Again: Have you checked Fail2Ban entries? E.g.: grep <part of your IPv6 that is blocked> /var/log/fail2ban.log

 

[Attackwave]

Plesk firewall (iptables)

fail2ban already checked: only two IPv4 addresses blocked.

Edit: fail2ban deactivated...same behavior

 

[Bitpalast]

O.k., great. Next step in the search is to look into
# iptables --list
and to identify the line where the IPv6 address is being blocked by iptables. Is it blocked inside a Plesk chain? Or in another spot?

 

[Bitpalast]

Sorry,
# ip6tables --list
of course.

 

[Attackwave]

ok...the 30min counter is not correct. The latest test with firewall off/on until IPv6 is blocked:
1. ~10s
2. ~3min
3. ~15s

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere
ACCEPT     udp      anywhere             anywhere             udp dpt:19132
ACCEPT     udp      anywhere             anywhere             udp dpt:19133
ACCEPT     tcp      anywhere             anywhere             tcp dpt:40010
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8447
ACCEPT     tcp      anywhere             anywhere             tcp dpt:40022
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8880
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https
DROP       tcp      anywhere             anywhere             tcp dpt:ftp
DROP       tcp      anywhere             anywhere             tcp dpt:ssh
DROP       tcp      anywhere             anywhere             tcp dpt:smtp
DROP       tcp      anywhere             anywhere             tcp dpt:submissions
DROP       tcp      anywhere             anywhere             tcp dpt:pop3
DROP       tcp      anywhere             anywhere             tcp dpt:pop3s
DROP       tcp      anywhere             anywhere             tcp dpt:imap2
DROP       tcp      anywhere             anywhere             tcp dpt:imaps
DROP       tcp      anywhere             anywhere             tcp dpt:poppassd
DROP       tcp      anywhere             anywhere             tcp dpt:mysql
DROP       tcp      anywhere             anywhere             tcp dpt:postgresql
DROP       udp      anywhere             anywhere             udp dpt:netbios-ns
DROP       udp      anywhere             anywhere             udp dpt:netbios-dgm
DROP       tcp      anywhere             anywhere             tcp dpt:netbios-ssn
DROP       tcp      anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp      anywhere             anywhere             udp dpt:openvpn
DROP       udp      anywhere             anywhere             udp dpt:domain
DROP       tcp      anywhere             anywhere             tcp dpt:domain
DROP       all      anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere

 

[Bitpalast]

Now you know that iptables is not blocking anything. If the IPv6 address is not listed in Plesk, Plesk is not blocking it in any other way either. So this is not a Plesk issue.

How did you find out that your server is blocking the IPv6 connection, e.g. what is your test scenario? Could it be something else outside your machine that is wrong?

Please also check the last post in this thread, maybe this is a similar situation with your server:

Resolved - Plesk firewall disables ipv6 incoming and outgoing

I am currently migrating my plesk server to another ( ubuntu 16.04 onyx to ubuntu 18.04 obsidian both dedicated cloud server with 1und1 / ionos) and noticed my let encrypt renewal failed on the new server. After some testing i discovered that with the plesk firewall on it would block all ipv6...

talk.plesk.com

 

[Attackwave]

My test scenario:

1. disable firewall / enable firewall
2. Server console simple ping check: while true; do date; ping -6 -c 1 www.google.de; sleep 10; done;
3. External client PC, simple WebBrowser check: https://[IPv6]

if ping says host unreachable (internal2external) I cant call my IPv6 via Browser (external2internal).

Ive checked this thread already, but my routes still ok. Before and after blocking.

 

[Bitpalast]

It does not make sense to me. How do you know that the routes are good if a ping does not work?
How can disabling the ip6tables affect the interface when - according to the screenshot you have presented - the IPv6 address is not being blocked by it anyway? Are "firewall" and "ip6tables" the same thing for you or is "firewall" something different? Do you have any real "firewall" rules set-up?

 

[Attackwave]

I checked the routes via "ip -6 route". The routes all ok before and after blocking.

In another server scenario I had the problem what was stated in the thread posted above. The default route eventually disappeared. At the time, that was due to the router advertisement.

No..no "real" firewall rules. Its a fresh Ubuntu 20.04 with Obsidian (one click install) via my provider Strato.
I play around with the shipped Plesk Firewall UI and wanted to check whether the most common firewall rules can be defined via the interface. But it doesn't seem to be like that.

I missing ICMPv6 features to be set. I reinstall the plesk firewall an test again.

 

[learning_curve]

@Attackwave One other thing that is NOT included (by default) with a one click install IONOS Plesk / Ubuntu Combination Cloud Server, are these lines:

# Enable IPv6 addresses support on Plesk Server
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0

Which will follow the existing line 60 within this file: /etc/sysctl.conf - Yes - you really do, actually have to add them in yourself!
You're not using IONOS anyway, you're using Strato and the two default packages are different, but it's a quick check & it's then easy to test too

 

[Attackwave]

@Attackwave One other thing that is NOT included (by default) with a one click install IONOS Plesk / Ubuntu Combination Cloud Server, are these lines:

Which will follow the existing line 60 within this file: /etc/sysctl.conf - Yes - you really do, actually have to add them in yourself!
You're not using IONOS anyway, you're using Strato and the two default packages are different, but it's a quick check & it's then easy to test too

My "addon" IPv6 settings are:

/etc/sysctl.d/10-ipv6-privacy.conf <= default config

net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.enp5s0f0.accept_ra=0
net.ipv6.conf.enp5s0f0.autoconf=0

/etc/sysctl.d/11-ipv6.conf <= my addon
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.enp5s0f1.disable_ipv6=1

 

[Attackwave]

I ended up to disable psa-firewall and fail2ban and enable my pre-production iptables settings. IPv6 works flowlessly.

There is a missconfiguration about psa-firewall and the iptables script that is generated.