pve-firewall does not work for IPv6

A

Andi

Member
Proxmox Subscriber
May 31, 2015
19
0
21
Hi,

I've tried the Proxmox pve-firewall during the last days and I have some (acutal only two) problems with IPv6.

My system:
  • Debian 8 with kernel 4.2.6-1-pve
  • pve-firewall 2.0-14
  • one LXC
  • one IPv4 address for the host
  • NAT-IPv4 subnet with routing by ports for accessing the LXC via IPv4
  • one IPv6 /64-network, so the LXC gets its own IPv6-address
Firewall options:
  • enabled everywhere (Datacenter, Host, Container, network interfaces and whereever I found an option to enable it)
  • Default Input: DROP
  • Default Output: ACCEPT
  • NeighborDiscovery allowed on data center level
  • incoming port 22 and 8006 on the host allowed
  • incoming port 80 and 443 allowed on a (test-) container
The problem(s):
  • incoming IPv6 does not work (is blocked?) for the container on all ports
  • outgoing IPv4 does not work (is blocked?) for the container on all ports
If I disable the firewall at datacenter level everything works fine.

Here are some of my configurations:

/etc/network/interfaces on the host:
Code: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eth0
iface eth0 inet static
    address  IPv4
    netmask  IPv4-netmask
    gateway  IPv4-gateway
    pointopoint IPv4-gateway

iface eth0 inet6 static
    address  First-IPv6
    netmask  64
    gateway  IPv6-gateway
    up sysctl -p

auto vmbr0
iface vmbr0 inet static
    address 172.27.13.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

iface vmbr0 inet6 static
    address  Second-IPv6
    netmask  64
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    up route -6 add THIRD-IPv6 dev vmbr0 # for each VM IPv6

These are my NAT-rules:
Code: 
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to 172.27.13.23

iptables -t nat -A POSTROUTING -s 172.27.13.0/24 -o eth0 -j MASQUERADE

Of course ipv4-forwarding is enabled.

The network configuration of the container with 172.27.13.23:
Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 172.27.13.23
    netmask 255.255.255.255
    post-up ip route add 172.27.13.1 dev eth0
    post-up ip route add default via 172.27.13.1
    pre-down ip route del default via 172.27.13.1
    pre-down ip route del 172.27.13.1 dev eth0

iface eth0 inet6 static
    address THIRD-IPv6
    netmask 64
    gateway SECOND-IPv6

Any idea how to fix this? The log just says "IPV6 logging not implemented"...

Thanks very much!

//EDIT: I just saw that outgoing IPv4 is not a problem with the firewall since is does not work with firewall disabled too.
 
Last edited:
More details about your settings would be helpful. Post what the following results (when settings are active):

Code: 
grep "" /etc/pve/firewall/*
iptables-save
 
Code: 
grep "" /etc/pve/firewall/*

/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:log_level_in: info
/etc/pve/firewall/123.fw:enable: 1
/etc/pve/firewall/123.fw:macfilter: 0
/etc/pve/firewall/123.fw:log_level_out: info
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:[RULES]
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 36122 # SSH
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 80,443 # HTTP(S)
/etc/pve/firewall/123.fw:
/etc/pve/firewall/cluster.fw:[OPTIONS]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:policy_in: DROP
/etc/pve/firewall/cluster.fw:enable: 1
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:[RULES]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:IN NeighborDiscovery(ACCEPT) # needed for IPv6 support
/etc/pve/firewall/cluster.fw:

The other stuff in the attached files.

Please note: i've replaced my IPv6-address with "my-first-ipv6" (the same address as First-IPv6 in the code above)

Thanks for your help!
 

Attachments

  • iptables-save.txt
    7.4 KB · Views: 1
  • ip6tables-save.txt
    6.9 KB · Views: 4
Andi said:
Code: 
grep "" /etc/pve/firewall/*

/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:log_level_in: info
/etc/pve/firewall/123.fw:enable: 1
/etc/pve/firewall/123.fw:macfilter: 0
/etc/pve/firewall/123.fw:log_level_out: info
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:[RULES]
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 36122 # SSH
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 80,443 # HTTP(S)
/etc/pve/firewall/123.fw:
/etc/pve/firewall/cluster.fw:[OPTIONS]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:policy_in: DROP
/etc/pve/firewall/cluster.fw:enable: 1
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:[RULES]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:IN NeighborDiscovery(ACCEPT) # needed for IPv6 support
/etc/pve/firewall/cluster.fw:
Click to expand...

Everything looks fine. I tried it with your settings and it worked well (both ipv4 and ipv6). Does it work for ipv4?

However: I would in such a case follow the packets with tcpdump.

Andi said:
Please note: i've replaced my IPv6-address with "my-first-ipv6" (the same address as First-IPv6 in the code above)
Click to expand...

I don´t understand - I cannot see the mentioned string in any of your postings respectively posted documents.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back