Page 1 of 1

CSF is not adding ports to CC_ALLOWPORTS in ip6tables

Posted: 29 Jun 2016, 20:55
by yuriccp
Hello,

Recently I enabled the IPv6 support in my office and because of that I decided to also start to enable IPv6 support on my servers too.

But after I configured everything I notice that the connection to ports that are in CC_ALLOW_PORTS_TCP are always going through IPv4 and never through IPv6. So I listed in IP6TABLES and IPTABLES I notice that the Chain CC_ALLOWPORTS is empty in IP6TABLES.

Currently the IPTABLES is showing this:

Code: Select all

[...]
Chain CC_ALLOWP (1 references)
target     prot opt source               destination         
CC_ALLOWPORTS  all  --  5.8.45.0/25          0.0.0.0/0           
CC_ALLOWPORTS  all  --  5.10.192.0/21        0.0.0.0/0           
CC_ALLOWPORTS  all  --  15.227.249.0/24      0.0.0.0/0           
CC_ALLOWPORTS  all  --  17.45.170.112        0.0.0.0/0           
CC_ALLOWPORTS  all  --  23.97.96.0/19        0.0.0.0/0
[...]

Chain CC_ALLOWPORTS (2483 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2083
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2096
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2078
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:3306

Chain DENYIN (1 references)
target     prot opt source               destination         
REJECT     all  --  93.93.69.141         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     tcp  --  181.222.118.86       0.0.0.0/0            tcp dpt:25 reject-with icmp-port-unreachable
REJECT     tcp  --  181.222.118.86       0.0.0.0/0            tcp dpt:465 reject-with icmp-port-unreachable
[...]
While the IP6TABLES is showing this:

Code: Select all

Chain CC_ALLOWP (1 references)
target     prot opt source               destination         
CC_ALLOWPORTS  all      2001:1280::/32       ::/0                
CC_ALLOWPORTS  all      2001:1284::/32       ::/0                
CC_ALLOWPORTS  all      2001:1288::/32       ::/0                
CC_ALLOWPORTS  all      2001:128c::/32       ::/0                
CC_ALLOWPORTS  all      2001:1290::/31       ::/0
[...]
Chain CC_ALLOWPORTS (3470 references)
target     prot opt source               destination         

Chain DENYIN (1 references)
target     prot opt source               destination
[...]
I think thats because is missing/buging implementation of CC_ALLOW_PORTS_TCP to IPv6, and only the the IPv6 list is being loaded and not the ports.

Please, can you verify it?

Thanks

Re: CSF is not adding ports to CC_ALLOWPORTS in ip6tables

Posted: 03 Jul 2016, 11:54
by ForumAdmin
Thank you for reporting this, we will have a fix for it in the next csf release.

Re: CSF is not adding ports to CC_ALLOWPORTS in ip6tables

Posted: 04 Jul 2016, 11:06
by ForumAdmin
This should now be fixed in v9.07:
http://blog.configserver.com/