Hello Since a few Days Debian Buster is in Freeze-State. After I found the following statement on Debians Web-Site... "Current status: NOTE: Debian Buster will use the nftables framework by default." .. I got been triggerd to do something.... My current system is Debian 9 with Backports-nftables. My current iptables-Ruleset have working a long time without any Problems. But currently the old rules are inactive, because the nftables are additonal installed, because I want to prepare my future migration from iptables to nftables. Except for one "little thing", everything works as before. In the past a Dual-Stack-OpenVPN-Installation with iptables was successfully implemented, see below. The Web-Site http://ipv6-test.com/ shows, after the VPN-Client is connected, my current Home-Server- Public-IPs for IPv4 and IPv6. With nftables and IPv4 it works very well as before, but ipv6-test.com says "IPv6 not supported". As far as I can see, the Rules are similar. Does anyone know, where the Problem is... in the new ruleset? Best regards Tom Table filter IPv4: --------------------------------------------------------------------------- Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1424 590K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 94 4800 ACCEPT all -- tun+ * 10.10.8.0/24 0.0.0.0/0 4 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Table nat IPv4: --------------------------------------------------------------------------- Chain POSTROUTING (policy ACCEPT 1 packets, 242 bytes) pkts bytes target prot opt in out source destination 52 3120 MASQUERADE all -- * eth0 10.10.8.0/24 0.0.0.0/0 Table filter IPv6: -------------------------------------------------------------------------------- Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 82 13082 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT icmpv6 * * ::/0 ::/0 3 37 3154 ACCEPT all tun+ * fd00:10:10:8::/64 ::/0 5 0 0 ACCEPT udp eth0 * ::/0 ::/0 udp dpt:1194 7 0 0 DROP all * * ::/0 ::/0 Table nat IPv6: -------------------------------------------------------------------------------- Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 37 3154 MASQUERADE all * eth0 fd00:10:10:8::/64 ::/0 ================================================================================ table ip tfilter { chain forward { type filter hook forward priority 0; policy accept; iifname "lo" accept ct state established,related accept ip protocol icmp accept iifname "tun*" ip saddr 10.10.8.0/24 accept iifname "eth0" udp dport 1194 accept counter packets 0 bytes 0 drop } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" ip saddr 10.10.8.0/24 masquerade } } table ip6 tfilter { chain forward { type filter hook forward priority 0; policy accept; iifname "lo" accept ct state established,related accept meta l4proto ipv6-icmp accept iifname "tun*" ip6 saddr fd00:10:10:8::/64 accept iifname "eth0" udp dport 1194 accept counter packets 0 bytes 0 drop } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" ip6 saddr fd00:10:10:8::/64 masquerade } }
