Ubuntu
iptables package

Iptables : icmpv6 filtering doesn't work with the state module.

Bug #479105 reported by archange
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: iptables

Ip6tables : icmpv6 filtering doesn't work with the state module.

My ip6tables configuration accept all RELATED,ESTABLISHED incoming packets and then I filter with the state module on "NEW" connections.
However, all icmpv6 packets are blocked.
Trying to solve the problem, I put the following line in my ip6tables configuration :
-A INPUT -p ipv6-icmp -m state --state INVALID,NEW,RELATED,ESTABLISHED -j ACCEPT
These four states are the four ones available, my source is "man ip6tables".
And even with this line, I still have my icmpv6 packets blocked.
Of course, when I remove "-m state --state INVALID,NEW,RELATED,ESTABLISHED", everything works.

Here is my ipv6tables-save :

root@jade:~ $ ip6tables-save
# Generated by ip6tables-save v1.4.4 on Mon Nov 9 12:38:53 2009
*filter
:INPUT ACCEPT [134:49059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [37988:6724645]
:LOGDROP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -m state --state INVALID,NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOGDROP
-A LOGDROP -j LOG --log-prefix "[IP6TABLES_DROP]:" --log-level 7
-A LOGDROP -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
# Completed on Mon Nov 9 12:38:53 2009

Here is my logs :

Nov 9 12:51:04 jade kernel: [140114.830896] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXXX SRC=fe80:0000:0000:0000:0207:XXXXXX DST=XXXXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Nov 9 12:51:04 jade kernel: [140114.834235] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXX SRC=fe80:0000:0000:0000:0207:XXXX DST=2a01:XXXXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
Nov 9 12:51:05 jade kernel: [140115.878427] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXXX SRC=fe80:0000:0000:0000:XXXX DST=2a01:0e35:2421:XXXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Nov 9 12:51:05 jade kernel: [140115.879731] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXXX SRC=fe80:0000:0000:0000:XXX1 DST=2a01:0e35:2421:XXXXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
Nov 9 12:51:06 jade kernel: [140116.831000] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=00:21:6b:9d:38:e2:00:XXXX SRC=fe80:0000:0000:0000:0207:XXXX DST=2a01:XXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Nov 9 12:51:06 jade kernel: [140116.834329] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=00:21:6b:9d:38:XXXX SRC=fe80:0000:0000:0000:XXXX DST=2a01:0e35:XXXX:XXXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
Nov 9 12:51:07 jade kernel: [140117.832041] icmpv6_send: no reply to icmp error
Nov 9 12:51:07 jade kernel: [140117.832049] icmpv6_send: no reply to icmp error
Nov 9 12:51:07 jade kernel: [140117.832054] icmpv6_send: no reply to icmp error
Nov 9 12:53:30 jade kernel: [140260.939973] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXXX SRC=fe80:0000:0000:0000:020e:XXX DST=ff02:0000:0000:0000:0000:0001:XXX LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
Nov 9 12:53:30 jade kernel: [140260.998637] [IP6TABLES_DROP]:IN=wlan0 OUT= MAC=XXX SRC=fe80:0000:0000:0000:XXX DST=ff02:0000:0000:0000:0000:XXX LEN=144 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

Here is my uname :
Linux jade 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
dante@jade:~ % lsb_release -rd # Its Karmic
Description: Ubuntu 9.10
Release: 9.10

And ip6tables version:
root@jade:~ $ ip6tables --version
ip6tables v1.4.4
dante@jade:~ % aptitude show iptables
Paquet : iptables
État: installé
Automatiquement installé: non
Version : 1.4.4-1ubuntu1

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. This seems to be fixed now:

$ sudo ip6tables -I INPUT -p ipv6-icmp -m state --state INVALID,NEW,RELATED,ESTABLISHED -j DROP

$ ping6 -c 1 ipv6.google.com
PING ipv6.google.com(dfw06s07-in-x10.1e100.net) 56 data bytes

--- ipv6.google.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

$ sudo ip6tables -I INPUT -p ipv6-icmp -m state --state INVALID,NEW,RELATED,ESTABLISHED -j ACCEPT

$ ping6 -c 1 ipv6.google.com
PING ipv6.google.com(dfw06s07-in-x14.1e100.net) 56 data bytes
64 bytes from dfw06s07-in-x14.1e100.net: icmp_seq=1 ttl=53 time=158 ms

--- ipv6.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 158.871/158.871/158.871/0.000 ms

As such, I am marking it as Fixed Released. If this is still not working for you, I suggest you bring it up on askubuntu.com. If there is indeed still a bug, please file a new bug. Thanks!

Changed in iptables (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.