I've been struggling to get nftables to handle IPv6 traffic on selected
ports. First efforts were on Debian 12, with nftables 1.0.6.
The setup was quite complex, but included simple rules to open port 25
for SMTP. They worked for ipv4, but about a minute after starting up
nftables, ipv6 was blocked. The problem is not specific to port 25, a
similar problem applied to 80 and 443.
I know that the service provided by Postfix works, as it is possible to
send email via ipv6 when nftables is stopped.
The complexity was mainly to do with a lot of sets to control different
options.
To try to pin things down, I then created a Digital Ocean VPS using
Ubuntu 24.04 to get a later version of nftables - 1.0.9. The rules were
hacked down to a bare minimum. The ruleset is shown below. The problem
continues - without nftables I can submit mail. After "systemctl restart
nftables" access remains possible - but only for about a minute. There
are messages in syslog about the client when it is able to connect, but
none in respect of dropped packets. There are many ipv4 dropped packets
- probably just internet noise. Any thoughts?
table inet firewall {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
iifname "lo" accept
icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, parameter-problem, echo-request, mld-listener-query,
nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert } accept
ip protocol icmp icmp type echo-request ip saddr
127.0.0.1 accept
ip6 nexthdr tcp tcp dport 25 accept
ip protocol tcp tcp dport 25 accept
tcp dport 22 ip saddr 62.3.121.238 accept
udp dport 60000-61000 ip saddr 62.3.121.238 accept
log prefix "nftables input dropped: " flags all counter
packets 242 bytes 12885 drop
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state { established, related } accept
log prefix "nftables forward dropped: " flags all
counter packets 0 bytes 0 drop
}
chain output {
type filter hook output priority filter; policy drop;
ct state { established, related } accept
ip protocol icmp icmp type echo-request accept
ip protocol icmp icmp type echo-request ip daddr
127.0.0.1 accept
icmpv6 type echo-request accept
ip protocol { tcp, udp } th dport 53 accept
tcp dport 123 accept
tcp dport { 80, 443 } accept
tcp dport { 25, 465, 587, 993, 995, 4190 } accept
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
}
