IPV6 not working on Gentoo?
Hi!
It seems I can ping my own IPV6 address:
$ ping6 2600:3c03::f03c:91ff:fe93:36c2
PING 2600:3c03::f03c:91ff:fe93:36c2(2600:3c03::f03c:91ff:fe93:36c2) 56 data bytes
64 bytes from 2600:3c03::f03c:91ff:fe93:36c2: icmp_seq=1 ttl=64 time=0.047 ms
But not, say, Google's DNS IPV6 address:
$ ping6 -c 1 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
--- 2001:4860:4860::8888 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
I found this thread that sounded similar, but changing my /etc/dhcpcd.conf to end in:
# Generate SLAAC address using the Hardware Address of the interface
slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
#slaac private
And running
$ sudo /etc/init.d/dhcpcd restart
* Stopping DHCP Client Daemon ... [ ok ]
* Starting DHCP Client Daemon ...
cat: /run/dhcpcd/resolv.conf.eth0.ra: No such file or directory
still doesn't make those pings work (or, what I really was trying to do, an emerge that calls wget, which ends up using IPV6 and hanging forever). Is there anything else I need to configure?
Thanks!
4 Replies
Hey @flebron
Along with removing slaac private from your /etc/dhcpcd.conf file, did you also verify if privacy extensions are disabled? I ask this as another Community Questions site post mentions that having privacy extensions enabled could cause an issue with IPv6 address assignment.
Our An Overview of IPv6 on Linode guide includes the following information as well.
If your Linode does not have the correct IPv6 address or any IPv6 address at all, you should verify that you have router advertisements enabled and IPv6 privacy extensions disabled. Your Linode will need to accept router advertisements for SLAAC to function. These settings are properly configured by default in our supported distributions.
I hope this information helps get you pointed in the right direction. Feel to follow up with more information if this doesn't help in resolving the issue.
You also need to make sure that your firewall is not blocking IPv6 router advertisements and IPv6 neighbor discovery (the IPv6 replacement for ARP).
-- sw
Hi!
Thanks for the answers :)
@mcivitarese:
$ cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr
0
Does that mean that's well-configured? Anything else I should do/try?
@stevewi:
$ sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Does that mean my firewall is well-configured for ipv6? Anything else I should check?
$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2600:3c03::4582:ab36:3c29:da41/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591996sec preferred_lft 604796sec
inet6 2600:3c03::f03c:91ff:fe93:36c2/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591996sec preferred_lft 604796sec
inet6 fe80::f03c:91ff:fe93:36c2/64 scope link
valid_lft forever preferred_lft forever
$ ip -6 route
2600:3c03::/64 dev eth0 proto ra metric 202 mtu 1500 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 202 mtu 1500 pref medium
@flebron writes:
Does that mean my firewall is well-configured for ipv6? Anything else I should check?
It should be… I believe once you enable IPv6 support in the kernel, that firewall support is automatic. What you posted says you don't have any IPv6-specific rules.
Your firewall should always allow these two IPv6 networks to pass:
::ffff:127.0.0.0/104 <-- 127.0.0.0/8 as an IPv6 'compatibility' network
::1/128 <-- 'localhost6'
I use firehol to build my firewall: https://firehol.org I find it to be very useful and much more friendly than ip[6]tables. Having cut my teeth on pf(4) on FreeBSD, you can't imagine what a giant step backward ip[6]tables is…
You should checkout firehol(1)…it will save your (maybe remaining) hair. You can install it on Debian/Ubuntu using the following packages:
firehol - easy to use but powerful iptables stateful firewall (program)
firehol-common - easy to use but powerful traffic suite (common library)
firehol-doc - easy to use but powerful iptables stateful firewall (docs)
firehol-tools - easy to use but powerful traffic suite (extra tools)
firehol-tools-doc - easy to use but powerful traffic suite (extra tools docs)
fireqos - easy to use but powerful traffic shaping tool (program)
fireqos-doc - easy to use but powerful traffic shaping tool (docs)
fireqos(1) is a companion traffic shaper. firehol-tools has a lot of GUI junk that is worthless in a VPS environment. You can skip it. Both firehol and fireqos support IPv4 and IPv6 (and interoperability between the two).
Just for grins, here's the section of my firehol.conf file that handles IPv4/IPv6 interoperability & passes IPv6 router advertisement and neighbor discovery:
ipv6 interface any v6interop proto icmpv6
client ipv6neigh accept
server ipv6neigh accept
client ipv6router accept
policy return
Here's what firehol(1) generates (you decide which is easier to maintain):
# IPv4 Rules:
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A FORWARD -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p icmp --icmp-type destination-unreachable -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID FORWARD:"
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p icmp --icmp-type destination-unreachable -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID INPUT:"
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p icmp --icmp-type destination-unreachable -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID OUTPUT:"
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED -p icmp -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate RELATED --tcp-flags ALL ACK,RST -j ACCEPT
-A FORWARD -p tcp -m conntrack --ctstate RELATED --tcp-flags ALL ACK,RST -j ACCEPT
-A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED IN-unknown:"
-A INPUT -j DROP
-A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED OUT-unknown:"
-A OUTPUT -j DROP
-A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED PASS-unknown:"
-A FORWARD -j DROP
COMMIT
*mangle
-I OUTPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask 0x00001fff
-I PREROUTING 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask 0x00001fff
-A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask 0x00001fff
-A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask 0x00001fff
COMMIT
# IPv6 Rules:
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:in_v6interop - [0:0]
:out_v6interop - [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A FORWARD -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID FORWARD:"
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmpv6 -j in_v6interop
-A OUTPUT -p icmpv6 -j out_v6interop
-A in_v6interop -p icmpv6 -m conntrack --ctstate RELATED -j ACCEPT
-A out_v6interop -p icmpv6 -m conntrack --ctstate RELATED -j ACCEPT
-A out_v6interop -p tcp -m conntrack --ctstate RELATED --tcp-flags ALL ACK,RST -j ACCEPT
-A out_v6interop -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A in_v6interop -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A in_v6interop -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A out_v6interop -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A out_v6interop -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A in_v6interop -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A INPUT -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID INPUT:"
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK,FIN ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK,RST ACK,RST -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags ACK ACK -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -p tcp --tcp-flags RST RST -m conntrack --ctstate NEW,INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP INVALID OUTPUT:"
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate RELATED --tcp-flags ALL ACK,RST -j ACCEPT
-A FORWARD -p tcp -m conntrack --ctstate RELATED --tcp-flags ALL ACK,RST -j ACCEPT
-A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED IN-unknown:"
-A INPUT -j DROP
-A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED OUT-unknown:"
-A OUTPUT -j DROP
-A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix="DROP UNMATCHED PASS-unknown:"
-A FORWARD -j DROP
COMMIT
*mangle
-I OUTPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask 0x00001fff
-I PREROUTING 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask 0x00001fff
-A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask 0x00001fff
-A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask 0x00001fff
COMMIT
-- sw