Okay, maybe this is a Kernel or Virtuozzo problem, or something like this, because this is running on a vServer - but maybe someone got an idea? This are the ip6tables rules generated by the Plesk Firewall module on my CentOS 6.4 vServer:
And the problem is for once, this:
And for a outgoing IPv6 HTTP connection, for example:
The connection just hangs there, and will timeout eventually. Like the ACKs are not coming through, or something like that. IPv4 is working fine, and if I purge all ip6tables rules and set INPUT and OUTPUT to ACCEPT, it's working as well. What could this be?
Thanks and Regards,
BoMbY
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:12443
DROP tcp anywhere anywhere tcp dpt:12443
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:11443
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:11444
DROP tcp anywhere anywhere tcp dpt:11443
DROP tcp anywhere anywhere tcp dpt:11444
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:8447
DROP tcp anywhere anywhere tcp dpt:8447
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:pcsync-https
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:cddbp-alt
DROP tcp anywhere anywhere tcp dpt:pcsync-https
DROP tcp anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT tcp anywhere anywhere tcp dpt:https
ACCEPT tcp anywhere anywhere tcp dpt:ftp
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:ssh
DROP tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:submission
ACCEPT tcp anywhere anywhere tcp dpt:smtp
ACCEPT tcp anywhere anywhere tcp dpt:urd
ACCEPT tcp anywhere anywhere tcp dpt:pop3
ACCEPT tcp anywhere anywhere tcp dpt:pop3s
ACCEPT tcp anywhere anywhere tcp dpt:imap
ACCEPT tcp anywhere anywhere tcp dpt:imaps
ACCEPT tcp 2001:4dd0:XXXX::/48 anywhere tcp dpt:poppassd
DROP tcp anywhere anywhere tcp dpt:poppassd
DROP tcp anywhere anywhere tcp dpt:mysql
DROP tcp anywhere anywhere tcp dpt:postgres
DROP tcp anywhere anywhere tcp dpt:ogs-server
DROP tcp anywhere anywhere tcp dpt:glrpc
DROP udp anywhere anywhere udp dpt:netbios-ns
DROP udp anywhere anywhere udp dpt:netbios-dgm
DROP tcp anywhere anywhere tcp dpt:netbios-ssn
DROP tcp anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp 2001:4dd0:XXXX::/48 anywhere udp dpt:openvpn
DROP udp anywhere anywhere udp dpt:openvpn
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 134 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 135 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 136 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 137 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 128 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 129 code 0
DROP all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
DROP all anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
And the problem is for once, this:
Code:
# ping6 blog.fefe.de
PING blog.fefe.de(2001:4d88:ffff:ffff:d0:b723:863f:2) 56 data bytes
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
And for a outgoing IPv6 HTTP connection, for example:
Code:
# wget blog.fefe.de
--2013-06-21 14:20:22-- http://blog.fefe.de/
Resolving blog.fefe.de... 2001:4d88:ffff:ffff:d0:b723:863f:2, 31.15.64.162
Connecting to blog.fefe.de|2001:4d88:ffff:ffff:d0:b723:863f:2|:80...
The connection just hangs there, and will timeout eventually. Like the ACKs are not coming through, or something like that. IPv4 is working fine, and if I purge all ip6tables rules and set INPUT and OUTPUT to ACCEPT, it's working as well. What could this be?
Thanks and Regards,
BoMbY