OpenVZ Forum


Home » General » Support » Outbound IPv6 -> Permission Denied
Outbound IPv6 -> Permission Denied [message #43165] Wed, 03 August 2011 03:17 Go to next message
optize is currently offline  optize
Messages: 33
Registered: September 2006
Member
From: *ph.ph.cox.net
I have an interesting problem.

IPv6 works on the VPS node:

[root@vz01 ~]# telnet ipv6.google.com 80
Trying 2001:4860:4001:803::1010...
Connected to ipv6.l.google.com (2001:4860:4001:803::1010).
Escape character is '^]'.

IPv6 ICMP works on the VPS:

[root@hub3 /]# ping6 ipv6.google.com
PING ipv6.google.com(2001:4860:4001:803::1010) 56 data bytes
64 bytes from 2001:4860:4001:803::1010: icmp_seq=1 ttl=54 time=20.5 ms
64 bytes from 2001:4860:4001:803::1010: icmp_seq=2 ttl=54 time=20.8 ms

IPv6 TCP fails due to permission denied:

[root@hub3 /]# telnet ipv6.google.com 80
Trying 2001:4860:4001:803::1010...
telnet: connect to address 2001:4860:4001:803::1010: Permission denied

Anyone run into this before? iptables is off.
Re: Outbound IPv6 -> Permission Denied [message #43184 is a reply to message #43165] Thu, 04 August 2011 04:03 Go to previous messageGo to next message
shaggy63 is currently offline  shaggy63
Messages: 4
Registered: August 2011
Junior Member
From: *hsd1.in.comcast.net
post the following:
output from iptables --list
sysctl.conf
Re: Outbound IPv6 -> Permission Denied [message #43185 is a reply to message #43165] Thu, 04 August 2011 04:18 Go to previous messageGo to next message
shaggy63 is currently offline  shaggy63
Messages: 4
Registered: August 2011
Junior Member
From: *hsd1.in.comcast.net
/etc/init.d/ip6tables stop
Re: Outbound IPv6 -> Permission Denied [message #43192 is a reply to message #43184] Thu, 04 August 2011 14:41 Go to previous messageGo to next message
optize is currently offline  optize
Messages: 33
Registered: September 2006
Member
From: *ph.ph.cox.net
ip6tables isn't installed;

[root@hub3 /]# ip6tables --list -n
-bash: ip6tables: command not found

[root@hub3 /]# service ip6tables stop
ip6tables: unrecognized service

[root@hub3 /]# iptables --list -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@hub3 /]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(Cool and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
# net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
# net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
# kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
# kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
[root@hub3 /]#

This is a brand new VPS off the OpenVZ templates.

[Updated on: Thu, 04 August 2011 14:41]

Report message to a moderator

Re: Outbound IPv6 -> Permission Denied [message #43194 is a reply to message #43185] Thu, 04 August 2011 18:32 Go to previous messageGo to next message
optize is currently offline  optize
Messages: 33
Registered: September 2006
Member
From: *ph.ph.cox.net
shaggy63 wrote on Thu, 04 August 2011 00:18
/etc/init.d/ip6tables stop


That was it... However on the VPS host node.

Didn't realize having firewall rules on the host node would cause the actual VPS to have firewalled off as well.

Thanks.
Re: Outbound IPv6 -> Permission Denied [message #52301 is a reply to message #43165] Wed, 20 January 2016 10:26 Go to previous message
grin is currently offline  grin
Messages: 2
Registered: March 2009
Location: Hungary
Junior Member

From: *juropnet.hu
As a sidenote the same effect can be observed (ipv6 connect gets EPERM or permission denied) when any firewall on the way rejects the packets with "reject-with icmp6-adm-prohibited".

The icmp6 comes back and the OS gives you "permission denied". Quite confusing result ["permission denied" usually means local permissions, not external ones] but kind of correct.
Previous Topic: Does these kernel options seems right to you?
Next Topic: second level quota problems with 2.6.32-042stab113.11
Goto Forum:
  


Current Time: Sat Dec 14 08:16:04 GMT 2019