F25 server: firewalld: IPv6 default FWDO_FedoraServer FORWARD rule

asked 2017-04-29 23:28:18 -0500

dimitrisk gravatar image

updated 2017-04-30 02:14:48 -0500

Hello,

I'm using a F25 Server installation as an OpenVPN server on a hosting provider that provides routable IPv6 /64 blocks. The intention is to provide dual-stack connectivity for cafe-laptop-warrior type use cases.

I run two instances of OpenVPN, one accessible over UDP4, the other over TCP4, both on the public eth0 interface of the VPS.

eth0 is in the FedoraWorkstation zone. The OpenVPN tun0 and tun1 interfaces are not assigned to any zone.

The only IPv6 traffic I can get through the VPN server/firewall is ICMP6; anything else gets an ICMP "admin prohibited" response. I think this is because of a difference in the treatment of the FORWARD chain by firewalld.

Comparing the output of iptables -S and ip6tables -S:

diff -u /tmp/ip{4,6}tables
--- /tmp/ip4tables  2017-04-29 21:05:24.101556701 -0700
+++ /tmp/ip6tables  2017-04-29 21:05:31.795556701 -0700
@@ -28,7 +28,7 @@
 -A INPUT -j INPUT_ZONES_SOURCE
 -A INPUT -j INPUT_ZONES
 -A INPUT -m conntrack --ctstate INVALID -j DROP
--A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -j FORWARD_direct
@@ -37,7 +37,7 @@
 -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
 -A FORWARD -j FORWARD_OUT_ZONES
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
 -A OUTPUT -j OUTPUT_direct
 -A FORWARD_IN_ZONES -i eth0 -g FWDI_FedoraServer
 -A FORWARD_IN_ZONES -g FWDI_FedoraServer
@@ -46,17 +46,17 @@
 -A FWDI_FedoraServer -j FWDI_FedoraServer_log
 -A FWDI_FedoraServer -j FWDI_FedoraServer_deny
 -A FWDI_FedoraServer -j FWDI_FedoraServer_allow
--A FWDI_FedoraServer -p icmp -j ACCEPT
+-A FWDI_FedoraServer -p ipv6-icmp -j ACCEPT
 -A FWDO_FedoraServer -j FWDO_FedoraServer_log
 -A FWDO_FedoraServer -j FWDO_FedoraServer_deny
 -A FWDO_FedoraServer -j FWDO_FedoraServer_allow
--A FWDO_FedoraServer_allow -m conntrack --ctstate NEW -j ACCEPT
 -A INPUT_ZONES -i eth0 -g IN_FedoraServer
 -A INPUT_ZONES -g IN_FedoraServer
 -A IN_FedoraServer -j IN_FedoraServer_log
 -A IN_FedoraServer -j IN_FedoraServer_deny
 -A IN_FedoraServer -j IN_FedoraServer_allow
--A IN_FedoraServer -p icmp -j ACCEPT
+-A IN_FedoraServer -p ipv6-icmp -j ACCEPT
 -A IN_FedoraServer_allow -p tcp -m tcp --dport 2112 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraServer_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_FedoraServer_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_FedoraServer_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

I think the problem is this rule that's present in the IPv4 rules but missing in IPv6:

--A FWDO_FedoraServer_allow -m conntrack --ctstate NEW -j ACCEPT

Any idea how to configure this for IPv6? It's not a port forward, so I'm a bit lost on how to do this.

Thanks!

Edit: This is a workaround:

firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT

followed by

firewall-cmd --reload

But this seems like a bug so I've opened one.

edit retag flag offensive close merge delete