{"id":271,"date":"2016-11-26T07:46:15","date_gmt":"2016-11-26T06:46:15","guid":{"rendered":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=271"},"modified":"2016-11-27T00:25:44","modified_gmt":"2016-11-26T23:25:44","slug":"ipv6-connectivity-of-security-debian-org","status":"publish","type":"post","link":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=271","title":{"rendered":"IPv6 connectivity of security.debian.org"},"content":{"rendered":"<h3>The Problem<\/h3>\n<p>Have been hunting this down for quite some time now: several virtual hosts weren&#8217;t able to connect to security.debian.org. First I thought it was me, even though I had all the ingredients for IPv6-forwarding to work (this is the host):<\/p>\n<pre>*filter \r\n:FORWARD DROP [0:0]\r\n-A FORWARD -p ipv6-icmp -j ACCEPT\r\n-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<\/pre>\n<p>Of course, net.ipv6.conf.*.forwarding was set on the host. That should be enough to forward all outgoing connections and drop incoming, right? And it does, for pretty much any host<i>, except<\/i>\u00a0security.debian.org (AKA as lobos.debian.org and villa.debian.org). There may be more, but that one caught my attention, because apt update hung just there (ftp.de.debian.org worked, btw).<\/p>\n<p>First I thought that it was the MTU, but that was pretty much a red herring. After a while I realized that it was working when the FORWARD policy was ACCEPT, but of course that wasn&#8217;t a viable solution. So I dug deeper: Strangely enough, with the policy back to DROP and this rule:<\/p>\n<pre>-A FORWARD -d &lt;VM-IPv6&gt; -p tcp -m multiport \\\r\n   --sports 80,443 -j ACCEPT<\/pre>\n<p>it also worked, but this wasn&#8217;t enough:<\/p>\n<pre>-A FORWARD -s &lt;VM-IPv6&gt; -j ACCEPT<\/pre>\n<p>WTF? Fortunately I had a working virtual machine (also debian 8.6, same kernel), so I ended up comparing the IPv6-sysctl values (sysctl -a | grep ipv6).<\/p>\n<h3>The solution<\/h3>\n<p>As it turned out, the only difference was that the working virtual machine had\u00a0net.ipv6.conf.*.forwarding enabled. So I added<\/p>\n<pre>net.ipv6.conf.all.forwarding=1\r\nnet.ipv6.conf.default.forwarding=1<\/pre>\n<p>to \/etc\/sysctl.conf of the failing\u00a0<strong>virtual machine<\/strong>, rebooted and then it finally worked &#8482;!\u00a0I don&#8217;t have the slightest clue why this is necessary, though. The VM is the final receiver, the end of the chain, but certainly not a router! Maybe it&#8217;s a kernel bug, I don&#8217;t know&#8230; I&#8217;m just glad it works \ud83d\ude42<\/p>\n<p>Just calling sysctl -w doesn&#8217;t do it, btw. You have to take the interface down and up again to take effect, hence the reboot&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Problem Have been hunting this down for quite some time now: several virtual hosts weren&#8217;t able to connect to security.debian.org. First I thought it was me, even though I had all the ingredients for IPv6-forwarding to work (this is the host): *filter :FORWARD DROP [0:0] -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -m &hellip; <a href=\"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=271\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">IPv6 connectivity of security.debian.org<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[77,76],"tags":[69,7,70,71],"class_list":["post-271","post","type-post","status-publish","format-standard","hentry","category-linux","category-network","tag-debian","tag-iptables","tag-ipv6","tag-sysctl"],"_links":{"self":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=271"}],"version-history":[{"count":5,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/271\/revisions"}],"predecessor-version":[{"id":276,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/271\/revisions\/276"}],"wp:attachment":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}