Weird issue specific to chain ALLOWDYNIN in ip6tables
Posted: 12 Mar 2024, 15:53
Hi.
So for a while now I was annoyed that my servers are blocked between each other, but I never bothered to check why. After a while, I decided to configure DYNDNS domains between them (as we change IPs quiet often) and it all worked. On IPv4. Since some of our servers also use IPv6 obviously that wasn't working. So I tried allowing specific IP and that worked.
Again after some time (2-3 months), I decided to check, why the heck IPv6 isn't blocking. So I found a very strange issue with IPv6 tables specifically. When CSF sets rules, the rule for IPV6 IPSET isn't added. I tried the wait lock and the same thing happened. So I also tried adding these two rules into csfpost.sh:
ip6tables -A ALLOWDYNOUT -m set --match-set chain_6_ALLOWDYN dst -j ACCEPT
ip6tables -A ALLOWDYNIN -m set --match-set chain_6_ALLOWDYN src -j ACCEPT
And while running them manually works, the postscript (even though the console says executed) doesn't. Not sure what is going on here. This happens on a few machines so it's not a specific issue to my server. I run iptables v1.8.7 (nf_tables) on Ubuntu 22.04. Also same happens on Debian 12 running ip6tables v1.8.9 (nf_tables).
Anyone has the same issue? Any solutions?
So for a while now I was annoyed that my servers are blocked between each other, but I never bothered to check why. After a while, I decided to configure DYNDNS domains between them (as we change IPs quiet often) and it all worked. On IPv4. Since some of our servers also use IPv6 obviously that wasn't working. So I tried allowing specific IP and that worked.
Again after some time (2-3 months), I decided to check, why the heck IPv6 isn't blocking. So I found a very strange issue with IPv6 tables specifically. When CSF sets rules, the rule for IPV6 IPSET isn't added. I tried the wait lock and the same thing happened. So I also tried adding these two rules into csfpost.sh:
ip6tables -A ALLOWDYNOUT -m set --match-set chain_6_ALLOWDYN dst -j ACCEPT
ip6tables -A ALLOWDYNIN -m set --match-set chain_6_ALLOWDYN src -j ACCEPT
And while running them manually works, the postscript (even though the console says executed) doesn't. Not sure what is going on here. This happens on a few machines so it's not a specific issue to my server. I run iptables v1.8.7 (nf_tables) on Ubuntu 22.04. Also same happens on Debian 12 running ip6tables v1.8.9 (nf_tables).
Anyone has the same issue? Any solutions?