After discovering that my home router (FritzBox 7530) was partially communicating via IPv6, I also set up the ip6tables.service. According to my IPv4 rules, I entered
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
as the last INPUT rule. However, this resulted in both the ping to the router’s IPv6 address not working and the HTTP GUI presentation being incomplete.
Replacing the line with
-A INPUT -j DROP
solved the problem.
Can anybody tell me why?
Hi @Acor,
No I can’t tell you why, but here’s a
Tip When posting terminal output, copy the output and paste it here, wrapped in three (3) backticks, before AND after the pasted text. Like this:
```
pasted text
```
Or three (3) tilde signs, like this:
~~~
pasted text
~~~
This will just cause it to be rendered like this:
Sed
sollicitudin dolor
eget nisl elit id
condimentum
arcu erat varius
cursus sem quis eros.
Instead of like this:
Sed sollicitudin dolor eget nisl elit id condimentum arcu erat varius cursus sem quis eros.
Alternatively, paste the text you wish to format as terminal output, select all pasted text, and click the </> button on the taskbar. This will indent the whole pasted section with one TAB, causing it to render the same way as described above.
Thereby increasing legibility thus making it easier for those trying to provide assistance.
For more information, please see:
As I’m a moderator on the forum, I have taken the liberty of doing this for you, this time.
Additionally
If your language isn’t English, please prepend any and all terminal commands with LC_ALL=C. For example:
LC_ALL=C bluetoothctl
This will just cause the terminal output to be in English, making it easier to understand and debug.
Note that the above text is partially pre-prepared as a general introduction for new forum Users. Please take the time to to understand how it is done and encourage quality responses.
DROP tells the kernel to silently drop the packet, i.e. to ignore it. REJECT sends a packet back to the sender that the device is unreachable. You are even telling it what error message it must convey.
Also, a ping is not a TCP packet — it’s an ICMP packet — and therefore it is port-agnostic. It operates at the level of the network layer, rather than at the level of the transport layer.
The real cause was that apparently no preceding rule matched the connection. I had entered as rule for local addresses:
-A INPUT -s fe80::/64 -j ACCEPT
But the FritzBox has an own ULA and also provides the local devices in the LAN with a generated corresponding ULA with the identical first half (64 of 128). After adding this additional rule
-A INPUT -s *ULA-Half*/64 -j ACCEPT
I was able to reinstate the ICMP rejection as last rule in the INPUT chain.
Addendum (a few days later): In the meantime, I've switched to nftables. Because not all information was displayed smoothly in the FritzBox GUI, I discovered that entries for ICMPv6 were missing. I've added them:
icmpv6 type { echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
In addition, when accessing fritz.box/, a hint about parental controls appeared, which can be bypassed either by clicking the redirect button or directly by accessing fritz.box/start.
The ping seemed to be acknowledged despite -j DROP.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.