Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
09-30-2013, 04:21 AM
|
#1
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
|
Question on ipv6 and ssh
Hi all!
I have just started mucking about with ipv6. Since I don't yet get an ipv6 address from my ISP, I decided to try a tunnel from http://www.tunnelbroker.net.
After struggling a bit I did indeed get it to work, and I can both ping with:
Code:
ping6 -c 2 ipv6.google.com
PING ipv6.google.com(lb-in-x69.1e100.net) 56 data bytes
64 bytes from lb-in-x69.1e100.net: icmp_seq=1 ttl=54 time=65.2 ms
64 bytes from lb-in-x69.1e100.net: icmp_seq=2 ttl=54 time=65.0 ms
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 65.025/65.120/65.216/0.272 ms
I have also verified that I indeed have ipv6 at sites such as http://whatismyv6.com/
Ok, good so far. Now to the actual (stupid?) question:
I thought that after this I should be able to ssh into my machine, using my newly assigned ipv6 address. But all I get is:
Code:
ssh: connect to host 2001:470:27:xxx::2 port 22: Network is unreachable
Now, obviously I checked that I can ssh using ipv4, and it's no problem using my external ipv4 address. I have a feeling I am missing something obvious, but haven't found any good clues using DuckDuckGo.
Oh, I can ssh to my machines using the "local" ipv6 addresses (starting with fe80) on the various machines, but not from the outside.
Pardon my ignorance, but I would be glad if someone could nudge me in the right direction.
Thanks for reading,
HMW |
|
|
|
|
09-30-2013, 01:19 PM
|
#2
|
|
Member
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 891
Rep: 
|
Is SSH listening on your Global Unicast Address? i.e. netstat -antp
|
|
|
|
|
10-01-2013, 01:16 AM
|
#3
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by baldy3105
Is SSH listening on your Global Unicast Address? i.e. netstat -antp
|
Thanks for answering. I am quite the newbie here, so honestly - I don't know!
Here is what netstat tells me about port 22 and ipv6 though:
Code:
tcp6 0 0 :::22 :::* LISTEN
So to me it seems as though I am listening on port 22 for incoming ipv6 connections.
As far as my Global Unicast Address is concerned, I wonder if I even have one!?!
The only ipv6 address that I know I have, and that makes sense to me is:
Code:
sudo ifconfig
ipv6_tunnel Link encap:IPv6-in-IPv4
inet6 addr: fe80::c0a8:1a0/128 Scope:Link
inet6 addr: 2001:470:27:xxx::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:312 (312.0 B) TX bytes:312 (312.0 B)
But after reading up on this, it doesn't look like the other Global Unicast Addresses I have seen examples of.
Like I said, I am indeed a newbie on this, and it feels as though I am missing a crucial point somewhere.
Thanks again for your reply, much appreciated.
HMW
Last edited by HMW; 10-01-2013 at 01:17 AM.
Reason: Spelling...
|
|
|
|
|
10-01-2013, 02:11 AM
|
#4
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep: 
|
what does this gives:
Code:
cat /etc/sysctl.conf | grep ipv6
is net.ipv6.conf.all.forwarding=1 ?
|
|
|
|
|
10-01-2013, 02:27 AM
|
#5
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by SAbhi
what does this gives:
Code:
cat /etc/sysctl.conf | grep ipv6
is net.ipv6.conf.all.forwarding=1 ?
|
Hi!
Yes, I double checked that before, here is the output:
Code:
less /etc/sysctl.conf | grep ipv6
net.ipv6.conf.all.forwarding=1
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_source_route = 0
As you can see, I haven't changed the other parameters regarding ipv6, as I don't think they are necessary.
Thanks for your reply!
/HMW |
|
|
|
|
10-01-2013, 03:29 AM
|
#6
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
And you passed sysctl -p after making the changes ?
|
|
|
|
|
10-01-2013, 03:41 AM
|
#7
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by SAbhi
And you passed sysctl -p after making the changes ?
|
Yes, I did.
Thanks,
HMW |
|
|
|
|
10-01-2013, 04:05 AM
|
#8
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
OK share the output from :
iptables -L
|
|
|
|
|
10-01-2013, 05:37 AM
|
#9
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by SAbhi
OK share the output from :
iptables -L
|
Um, ok, it's long - but here you go:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source
ufw-user-limit tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source
ufw-user-limit-accept tcp -- anywhere anywhere tcp dpt:ssh
udp -- anywhere anywhere udp dpt:ssh state NEW recent: SET name: DEFAULT side: source
ufw-user-limit udp -- anywhere anywhere udp dpt:ssh state NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source
ufw-user-limit-accept udp -- anywhere anywhere udp dpt:ssh
DROP tcp -- 192.168.1.11 anywhere tcp dpt:http
DROP udp -- 192.168.1.11 anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:nfs
ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:nfs
Chain ufw-user-limit (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
|
|
|
|
|
10-01-2013, 05:49 AM
|
#10
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
hmm firewall is allowing outgoing connections but i cant see rules to allow incoming SSH connections. Can you check and fix that. Because all else seems fine to me.
EDIT: something like this should work:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
do check the service sshd status.
Last edited by SAbhi; 10-01-2013 at 05:55 AM.
|
|
|
|
|
10-01-2013, 06:01 AM
|
#11
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by SAbhi
hmm firewall is allowing outgoing connections but i cant see rules to allow incoming SSH connections. Can you check and fix that. Because all else seems fine to me.
EDIT: something like this should work:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
do check the service sshd status.
|
I prefer to avoid iptables, the syntax is killing me. Here are my rules for ufw:
Code:
sudo ufw status
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
80 DENY 192.168.1.11
80 ALLOW Anywhere
2049 ALLOW 192.168.1.0/24
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
And, ssh works using ipv4. It is only when I try to connect using my ipv6 ip it doesn't work.
Thanks for your efforts, appreciated!
PS.
Code:
sudo service ssh status
[ ok ] sshd is running.
DS.
Last edited by HMW; 10-01-2013 at 06:03 AM.
Reason: forgot info
|
|
|
|
|
10-01-2013, 06:07 AM
|
#12
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Also, I tried disabling ufw completely, but still the same result:
Code:
port 22: Network is unreachable
|
|
|
|
|
10-01-2013, 12:53 PM
|
#13
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
hmm ok so /etc/sshd/sshd_config should have these lines:
Code:
ListenAddress 0.0.0.0
ListenAddress ::
also try:
ping6 -I eth0 [hostname]
ssh -6 hostname
EDIT:
if above ssh command doesnt work:
# ssh -6 [IPV6address%interfaceid]
where ipv6 address is your ipv6 IP and interface-id could be eth0 or eth1 whichever applicable.
**dont forget the "%" in between them.
Last edited by SAbhi; 10-01-2013 at 01:00 PM.
|
|
|
|
|
10-02-2013, 01:14 AM
|
#14
|
|
Member
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Original Poster
|
Quote:
Originally Posted by SAbhi
hmm ok so /etc/sshd/sshd_config should have these lines:
Code:
ListenAddress 0.0.0.0
ListenAddress ::
also try:
ping6 -I eth0 [hostname]
ssh -6 hostname
EDIT:
if above ssh command doesnt work:
# ssh -6 [IPV6address%interfaceid]
where ipv6 address is your ipv6 IP and interface-id could be eth0 or eth1 whichever applicable.
**dont forget the "%" in between them. |
Hello again!
Yes, sshd_config is correct, those two lines are there and uncommented.
Let's try the commands:
Code:
ping6 -I wlan0 2001:470:27:6d9::2
connect: Network is unreachable
ssh -6 2001:470:27:6d9::2
ssh: connect to host 2001:470:27:6d9::2 port 22: Network is unreachable
ssh -6 2001:470:27:6d9::2%wlan0
ssh: Could not resolve hostname 2001:470:27:6d9::2%wlan0: Name or service not known
As you can see still a no-go.
Thanks for your efforts!
HMW |
|
|
|
|
10-02-2013, 09:22 AM
|
#15
|
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
i see a wierd ipv6 address assigned to your machine and i dont have anything to comment on it for now..one thing is for sure if its not even pinging itself there is a mis-configuration.. out of options now will search a bit more then come to you..
Last edited by SAbhi; 10-02-2013 at 09:24 AM.
|
|
|
|
All times are GMT -5. The time now is 01:18 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
