Why does iptables drop packets even if it has a DROP policy on all IPv6 connections?

K

kizijo2018-06-20 20:35:42

linux

kizijo, 2018-06-20 20:35:42

I have the following ip6tables rules:

[email protected]:~# cat /etc/iptables/rules.v6
*filter
:INPUT DROP [10954:4558559]
:FORWARD DROP [0:0]
:OUTPUT DROP [42631:2058968]
COMMIT
*nat
:PREROUTING ACCEPT [10945:4557911]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [365:29228]
:POSTROUTING ACCEPT [0:0]
COMMIT

They block (in theory) INPUT, FORWARD, OUTPUT traffic, i.e. any connections.
But if I write ip6tables -nvLI will see the following:

[email protected]:~# ip6tables -nvL
Chain INPUT (policy DROP 138K packets, 53M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 240K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination

Why even if I block all ipv6 traffic, packets still go through?
PS If suddenly this affects something, then here are my ipv4 rules:

[email protected]:~# cat /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 95.145.23.33/32 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

iptables 1.6.0, Debian 9

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey Burov, 2018-06-20
@kizijo

Who said they pass?

Chain INPUT (policy DROP 138K packets, 53M bytes)

Dropped 138k pacts, totaling 53M

J

jcmvbkbc, 2018-06-20
@jcmvbkbc

Why even if I block all ipv6 traffic, packets still go through?

And where in the output ip6tables -nvLyou can see that the packets go through? I see packets coming in and dropping (INPUT) or trying to go and dropping (OUTUPT).