IP6tables blocks INPUT? can't connect with youtube API

klaas asked:

I thought to have a simple ipv6 firewall, but it turned out to be hell.
Somehow I really can’t connect with any ipv6 from my machine unless I set INPUT Policy to ACCEPT. Below my current ip6tables

ip6tables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     tcp      anywhere             anywhere           tcp dpt:http
ACCEPT     tcp      anywhere             anywhere           tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If I try to connect with any ipv6 adres it doesn’t work?

telnet gdata.youtube.com 80
Trying 2a00:1450:4013:c00::76...

OR

telnet gdata.youtube.com 443
Trying 2a00:1450:4013:c00::76...

When I set:

ip6tables -P INPUT ACCEPT

It works.. but then.. well then everything is open? what is going on?
Help?

My answer:


You’re probably missing the critical “stateful” rule:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You are also missing a rule to accept ICMPv6. Without ICMPv6, IPv6 simply does not function.

-A INPUT -p ipv6-icmp -j ACCEPT

For performance reasons, this should be among the earliest rules in your chain.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.