US sites unable to access my UK IPv6 space
Shadow Hawkins on Thursday, 17 March 2016 16:40:42
My PoP is gblon02 - Goscomb Technologies.
I have setup my domain (saitan.eu) and everything seems OK:
DNS Report
However, when people from the US try to access my mail server it is stopped at gw-547.lon-02.gb.sixxs.net :
traceroute6 to 2a01:348:1e5:cafe::25 (2a01:348:1e5:cafe::25) from 2001:470:c27d:18::11, 64 hops max, 12 byte packets
1 ipv6router.sscorp.com 1.014 ms 0.729 ms 0.713 ms
2 servicespring-1.tunnel.tserv9.chi1.ipv6.he.net 33.313 ms 27.833 ms 27.725 ms
3 ge3-4.core1.chi1.he.net 23.892 ms 27.881 ms 24.920 ms
4 100ge5-2.core1.nyc4.he.net 45.579 ms 40.182 ms 46.639 ms
5 10ge4-1.core1.nyc5.he.net 46.868 ms 43.634 ms 46.803 ms
6 2001:504:17:115::227 40.335 ms 63.033 ms 41.015 ms
7 ge-1-1-11-0.edge00.thn.uk.hso-group.net 122.601 ms 114.687 ms 114.157 ms
8 xe-8-3.core00.thn.uk.hso-group.net 122.647 ms 112.839 ms 118.600 ms
9 xe-4-1.core00.thw.uk.hso-group.net 130.524 ms 121.278 ms 157.215 ms
10 gblon02.sixxs.net 117.406 ms 112.898 ms 112.826 ms
11 gw-547.lon-02.gb.sixxs.net 114.533 ms 119.657 ms 115.030 ms
Anyone knows why?
Thanks
Renato
US sites unable to access my UK IPv6 space
Jeroen Massar on Thursday, 17 March 2016 16:46:31 gw-547.lon-02.gb.sixxs.net
that is the PoP side of the tunnel, thus the packets reach the tunnel. The next hop would be your end of the tunnel. Hence, check tcpdump/firewall rules / routing etc etc etc.
See the big yellow/orange warning when posting which points to the Contact page and asks to provide a lot more details.
Most very likely this is not a "US" issue, but simply a configuration issue on your side.
Reverse traceroute (from you to the remote site) is also a great idea...
US sites unable to access my UK IPv6 space
Shadow Hawkins on Thursday, 17 March 2016 16:52:51
Renato Strazzeri de Araujo wrote:
My PoP is gblon02 - Goscomb Technologies.
I have setup my domain (saitan.eu) and everything seems OK:
DNS Report
However, when people from the US try to access my mail server it is stopped at gw-547.lon-02.gb.sixxs.net :
traceroute6 to 2a01:348:1e5:cafe::25 (2a01:348:1e5:cafe::25) from 2001:470:c27d:18::11, 64 hops max, 12 byte packets
1 ipv6router.sscorp.com 1.014 ms 0.729 ms 0.713 ms
2 servicespring-1.tunnel.tserv9.chi1.ipv6.he.net 33.313 ms 27.833 ms 27.725 ms
3 ge3-4.core1.chi1.he.net 23.892 ms 27.881 ms 24.920 ms
4 100ge5-2.core1.nyc4.he.net 45.579 ms 40.182 ms 46.639 ms
5 10ge4-1.core1.nyc5.he.net 46.868 ms 43.634 ms 46.803 ms
6 2001:504:17:115::227 40.335 ms 63.033 ms 41.015 ms
7 ge-1-1-11-0.edge00.thn.uk.hso-group.net 122.601 ms 114.687 ms 114.157 ms
8 xe-8-3.core00.thn.uk.hso-group.net 122.647 ms 112.839 ms 118.600 ms
9 xe-4-1.core00.thw.uk.hso-group.net 130.524 ms 121.278 ms 157.215 ms
10 gblon02.sixxs.net 117.406 ms 112.898 ms 112.826 ms
11 gw-547.lon-02.gb.sixxs.net 114.533 ms 119.657 ms 115.030 ms
Anyone knows why?
Thanks
Renato
US sites unable to access my UK IPv6 space
Shadow Hawkins on Thursday, 17 March 2016 17:08:09
Thanks Jeroen for you prompt reply.
I mentioned the US because some UK/European web based IPv6 tools seems to reach all my hosts.
I know it looks like a firewall issue, but I don't have any logs and while tcpdumping live on my sixxs interfaces there is no packets coming from the alleged sites:
I can traceroute6 fine back:
traceroute to servicespring-1.tunnel.tserv9.chi1.ipv6.he.net (2001:470:1f10:2aa::1), 30 hops max, 80 byte packets
1 gw-547.lon-02.gb.sixxs.net (2a01:348:6:222::1) 9.057 ms 9.691 ms 10.587 ms
2 gblon02.sixxs.net (2a01:348:0:4:0:3:1:1) 11.237 ms 12.242 ms 12.714 ms
3 ge-0-0-5-20.cs0.thw.uk.goscomb.net (2a01:348:0:4:0:3:0:1) 25.694 ms 25.525 ms 25.494 ms
4 xe-3-1.core00.the.uk.hso-group.net (2a01:348::65:0:1) 21.776 ms 21.873 ms 21.709 ms
5 ae-1.core00.thn.uk.hso-group.net (2a01:348::80:0:1) 20.136 ms 21.093 ms 23.239 ms
6 lonap.he.net (2001:7f8:17::1b1b:1) 23.213 ms 12.005 ms 10.235 ms
7 10ge2-9.core1.lon2.he.net (2001:470:0:2cd::1) 17.223 ms 16.903 ms 16.755 ms
8 100ge1-1.core1.nyc4.he.net (2001:470:0:2cf::2) 92.500 ms 91.625 ms 90.216 ms
9 100ge7-2.core1.chi1.he.net (2001:470:0:298::1) 132.205 ms 132.644 ms 132.468 ms
10 servicespring-1.tunnel.tserv9.chi1.ipv6.he.net (2001:470:1f10:2aa::1) 103.303 ms 105.287 ms 98.549 ms
These are my iptables rules:
# Generated by ip6tables-save v1.4.14 on Wed Feb 10 18:21:14 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:AllowICMPs - [0:0]
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i sixxs -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -s 2a01:348:1e5:cafe::/64 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -p ipv6-icmp -j AllowICMPs
-A INPUT -d 2a01:348:1e5:cafe::1:53/128 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::1:53/128 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::53/128 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::53/128 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::2:53/128 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::2:53/128 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::80/128 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::80/128 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::25/128 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d 2a01:348:1e5:cafe::2:25/128 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT-v6:"
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A FORWARD -s 2a01:348:1e5::/48 -i br0 -o sixxs -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 2a01:348:1e5::/48 -i sixxs -p tcp -m tcp --dport 33600:33604 -j ACCEPT
-A FORWARD -p ipv6-icmp -j AllowICMPs
-A FORWARD -d 2a01:348:1e5:cafe::1:53/128 -i sixxs -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::1:53/128 -i sixxs -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::53/128 -i sixxs -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::53/128 -i sixxs -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::2:53/128 -i sixxs -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::2:53/128 -i sixxs -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::80/128 -i sixxs -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::80/128 -i sixxs -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::25/128 -i sixxs -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 2a01:348:1e5:cafe::2:25/128 -i sixxs -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD-v6:"
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o sixxs -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -s 2a01:348:1e5:cafe::/64 -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT-v6:"
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
COMMIT
# Completed on Wed Feb 10 18:21:14 2016
I will keep on looking
Thanks again
US sites unable to access my UK IPv6 space
Jeroen Massar on Thursday, 17 March 2016 17:43:33 I can traceroute6 fine back:
What is the source address of your traceroute?
These are my iptables rules:
That is a dump, you need to check what is actually running.
While doing that, check the counters.
You are trying traceroutes, but do you properly allow traceroutes with your rules?
Also, connection tracking is typically not a smart idea... but it all depends on what you are "protecting".
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
Why are you only allowing certain types of ICMP? What is wrong with the others?
Are you aware what ICMP is for?
US sites unable to access my UK IPv6 space
Shadow Hawkins on Friday, 18 March 2016 15:13:24
Jeroen Massar wrote:
> >I can traceroute6 fine back:
I tried tracerouting from all my internal hosts (about 15)
What is the source address of your traceroute? >> These are my iptables rules:
Thanks it helped me with more info.
That is a dump, you need to check what is actually running. While doing that, check the counters. >You are trying traceroutes, but do you properly allow traceroutes with your rules?
It worked for TCP/ICMP traceroute but not UDP. I fixed it now thanks!!!
Also, connection tracking is typically not a smart idea... but it all depends on what you are "protecting". >> -A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
Got the suggestion from here :
https://www.sixxs.net/wiki/IPv6_Firewalling
Seems reasonable.
The issue was the UDP traceroute and it is now sorted.
Many thanks again
Why are you only allowing certain types of ICMP? What is wrong with the others? Posting is only allowed when you are logged in. |