pve-firewall does not work for IPv6

A

Andi

Member
Proxmox Subscriber
May 31, 2015
19
0
21
Hi,

I've tried the Proxmox pve-firewall during the last days and I have some (acutal only two) problems with IPv6.

My system:
  • Debian 8 with kernel 4.2.6-1-pve
  • pve-firewall 2.0-14
  • one LXC
  • one IPv4 address for the host
  • NAT-IPv4 subnet with routing by ports for accessing the LXC via IPv4
  • one IPv6 /64-network, so the LXC gets its own IPv6-address
Firewall options:
  • enabled everywhere (Datacenter, Host, Container, network interfaces and whereever I found an option to enable it)
  • Default Input: DROP
  • Default Output: ACCEPT
  • NeighborDiscovery allowed on data center level
  • incoming port 22 and 8006 on the host allowed
  • incoming port 80 and 443 allowed on a (test-) container
The problem(s):
  • incoming IPv6 does not work (is blocked?) for the container on all ports
  • outgoing IPv4 does not work (is blocked?) for the container on all ports
If I disable the firewall at datacenter level everything works fine.

Here are some of my configurations:

/etc/network/interfaces on the host:
Code: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eth0
iface eth0 inet static
    address  IPv4
    netmask  IPv4-netmask
    gateway  IPv4-gateway
    pointopoint IPv4-gateway

iface eth0 inet6 static
    address  First-IPv6
    netmask  64
    gateway  IPv6-gateway
    up sysctl -p

auto vmbr0
iface vmbr0 inet static
    address 172.27.13.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

iface vmbr0 inet6 static
    address  Second-IPv6
    netmask  64
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    up route -6 add THIRD-IPv6 dev vmbr0 # for each VM IPv6

These are my NAT-rules:
Code: 
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to 172.27.13.23

iptables -t nat -A POSTROUTING -s 172.27.13.0/24 -o eth0 -j MASQUERADE

Of course ipv4-forwarding is enabled.

The network configuration of the container with 172.27.13.23:
Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 172.27.13.23
    netmask 255.255.255.255
    post-up ip route add 172.27.13.1 dev eth0
    post-up ip route add default via 172.27.13.1
    pre-down ip route del default via 172.27.13.1
    pre-down ip route del 172.27.13.1 dev eth0

iface eth0 inet6 static
    address THIRD-IPv6
    netmask 64
    gateway SECOND-IPv6

Any idea how to fix this? The log just says "IPV6 logging not implemented"...

Thanks very much!

//EDIT: I just saw that outgoing IPv4 is not a problem with the firewall since is does not work with firewall disabled too.
 
Last edited:
More details about your settings would be helpful. Post what the following results (when settings are active):

Code: 
grep "" /etc/pve/firewall/*
iptables-save
 
Code: 
grep "" /etc/pve/firewall/*

/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:log_level_in: info
/etc/pve/firewall/123.fw:enable: 1
/etc/pve/firewall/123.fw:macfilter: 0
/etc/pve/firewall/123.fw:log_level_out: info
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:[RULES]
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 36122 # SSH
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 80,443 # HTTP(S)
/etc/pve/firewall/123.fw:
/etc/pve/firewall/cluster.fw:[OPTIONS]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:policy_in: DROP
/etc/pve/firewall/cluster.fw:enable: 1
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:[RULES]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:IN NeighborDiscovery(ACCEPT) # needed for IPv6 support
/etc/pve/firewall/cluster.fw:

The other stuff in the attached files.

Please note: i've replaced my IPv6-address with "my-first-ipv6" (the same address as First-IPv6 in the code above)

Thanks for your help!
 

Attachments

Andi said:
Code: 
grep "" /etc/pve/firewall/*

/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:log_level_in: info
/etc/pve/firewall/123.fw:enable: 1
/etc/pve/firewall/123.fw:macfilter: 0
/etc/pve/firewall/123.fw:log_level_out: info
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:[RULES]
/etc/pve/firewall/123.fw:
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 36122 # SSH
/etc/pve/firewall/123.fw:IN ACCEPT -p tcp -dport 80,443 # HTTP(S)
/etc/pve/firewall/123.fw:
/etc/pve/firewall/cluster.fw:[OPTIONS]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:policy_in: DROP
/etc/pve/firewall/cluster.fw:enable: 1
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:[RULES]
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/cluster.fw:IN NeighborDiscovery(ACCEPT) # needed for IPv6 support
/etc/pve/firewall/cluster.fw:
Click to expand...

Everything looks fine. I tried it with your settings and it worked well (both ipv4 and ipv6). Does it work for ipv4?

However: I would in such a case follow the packets with tcpdump.

Andi said:
Please note: i've replaced my IPv6-address with "my-first-ipv6" (the same address as First-IPv6 in the code above)
Click to expand...

I don´t understand - I cannot see the mentioned string in any of your postings respectively posted documents.
 
You must log in or register to reply here.
Top Bottom