New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenVZ IPv6 venet = Destination unreachable: Administratively prohibited
Hello, we are configuring IPv6 to use inside our containers, in the host node, IPv6 run Ok, but we get error inside the container:
2a03:c7c0:1::1/48 - IPv6 gateway
2a03:c7c0:1::2/48 - IPv6 HostNode
2a03:c7c0:1::1:1/128 - IPv6 assigned to the container
CONFIG IN THE HOST NODE:
[root@ovz1-mad ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:25:90:C9:27:5E
inet addr:5.134.116.11 Bcast:5.134.117.255 Mask:255.255.254.0
inet6 addr: 2a03:c7c0:1::2/48 Scope:Global
inet6 addr: fe80::225:90ff:fec9:275e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:405324 errors:0 dropped:0 overruns:0 frame:0
TX packets:342071 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51938608 (49.5 MiB) TX bytes:149320728 (142.4 MiB)
Memory:f7180000-f7200000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2978 errors:0 dropped:0 overruns:0 frame:0
TX packets:2978 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:544356 (531.5 KiB) TX bytes:544356 (531.5 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: fe80::1/128 Scope:Link
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:162732 errors:0 dropped:0 overruns:0 frame:0
TX packets:150083 errors:0 dropped:8 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:66672828 (63.5 MiB) TX bytes:15845157 (15.1 MiB)
[root@ovz1-mad ~]# cat /etc/sysctl.conf
net.nf_conntrack_max = 500000
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv6.bindv6only = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
[root@ovz1-mad ~]# ip -6 route show
unreachable ::/96 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:a00::/24 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:7f00::/24 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:a9fe::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:ac10::/28 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:c0a8::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:e000::/19 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
2a03:c7c0:1::1:1 dev venet0 metric 1024 mtu 1500 advmss 1440 hoplimit 4294967295
2a03:c7c0:1::/48 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
fe80::1 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via 2a03:c7c0:1::1 dev eth0 metric 1 mtu 1500 advmss 1440 hoplimit 4294967295
[root@ovz1-mad ~]# ping6 ipv6.google.com
PING ipv6.google.com(mil01s16-in-x10.1e100.net) 56 data bytes
64 bytes from mil01s16-in-x10.1e100.net: icmp_seq=1 ttl=57 time=24.0 ms
64 bytes from mil01s16-in-x10.1e100.net: icmp_seq=2 ttl=57 time=24.0 ms
64 bytes from mil01s16-in-x10.1e100.net: icmp_seq=3 ttl=57 time=24.1 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2234ms
rtt min/avg/max/mdev = 24.022/24.086/24.160/0.187 ms
INSIDE THE CONTAINER:
[root@ovz1-mad ~]# vzctl enter 2009
entered into CT 2009
[root@mad /]#
[root@mad /]#
[root@mad /]# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2226 (2.1 KiB) TX bytes:2226 (2.1 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2a03:c7c0:1::1:1/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:148 errors:0 dropped:0 overruns:0 frame:0
TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13239 (12.9 KiB) TX bytes:13162 (12.8 KiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.134.117.74 P-t-P:5.134.117.74 Bcast:5.134.117.74 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
[root@mad /]# ip -6 route show
unreachable ::/96 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:a00::/24 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:7f00::/24 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:a9fe::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:ac10::/28 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:c0a8::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
unreachable 2002:e000::/19 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
2a03:c7c0:1::1:1 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
fe80::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default dev venet0 metric 1 mtu 1500 advmss 1440 hoplimit 4294967295
[root@mad /]# ping6 ipv6.google.com
PING ipv6.google.com(mil01s16-in-x10.1e100.net) 56 data bytes
From 2a03:c7c0:1::2 icmp_seq=1 Destination unreachable: Administratively prohibited
From 2a03:c7c0:1::2 icmp_seq=2 Destination unreachable: Administratively prohibited
From 2a03:c7c0:1::2 icmp_seq=3 Destination unreachable: Administratively prohibited
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2348ms
THIS IS THE IPV6 CONFIG IN SOLUSVM
Any idea about the problem?
Thanks.
Thanked by 18QE
Comments
Check ip6tables on the host node. CentOS has some stupid defaults.
Yep exactly what @rds100 said, turn off ip6tables for a sec to check and it'll most likely be that.
OOOhhhh!!! thanks!! is solved now!
So, IPv6 is ready on GINERNET Madrid location
You don't want to entirely clear the ip6tables on the hostnode, at least set filter for ssh over ipv6 (INPUT chain), or people will fill the logs on the node with bruteforce ssh attemts.
:S Never heard about this...
Same on IPv4?
What logs?
Any example?
What do you think about this?
Thanks very much!!
If you don't intend to login via ssh to the node over ipv6, you can just add the DROP, without the ACCEPT before it.
Thanks!
Can you provide me more info about the hack? What logs you say?
It's just the standard ssh bruteforcers that try to login with different passwords. They can do it over ipv4 and ipv6. Most people know to put filter on ipv4, but never bother to put filters on ipv6, and think they are secure.
ip6tables is needed for v6 bw accounting, as per Solus.
You just need to remove the two reject-with adm rules in the ip6tables startup file in sysconfig/, and then flush ip6tables and re-init it.
So, I have restored the previous ip6tables files,
removed both reject-with lines,
and added a new line to dont permit SSH via ipv6 on HN,
this is the result:
IPv6 run ok on containers!
Thanks very much!!!!
I'm having the same exact problem above but changing my tables didn't fix the problem.
I get the following:
Upon restart of the Host Node I get:
IPv6 address: 2607:5300:60:5ad0:0:0:0:4 belongs to the openvz container. I entered it into solusvm and then gave it to the container. I'm using 2607:5300:0060:5eff:00ff:00ff:00ff:00ff as my default gateway for ip address 2607:5300:60:5ad0:: as per OVH.
When I enter the container I get:
Can anyone tell me what I should put in the ip6tables to get this work, or should i check for other things?
Here are is my routing table from the Host Node:
@conlustro, what's your /etc/ssyctl.conf for the IPv6? And have you try to add it to load the sysctl at boot?
/etc/ssyctl.conf file does not exist on my server or my container.
its not /etc/ssyctl.conf it is /etc/sysctl.conf
Check /etc/sysctl.conf
I got:
Sorry for the typo
If we use Proxmox VE3, it will have a problem with the loading sysctl.conf at boot, so we need to load it in the /etc/network/interfaces.
After adding
and running systcl -p, you should try again for the IPv6 connection
IT WORKS! Thanks everyone!
Did changing the ipv6 gateway have anything to do with it working, or did I need to not mess with the gateway?
When I got to http://[2607:5300:60:5ad0::4]/ it doesn't go to the default apache webpage like the ipv4 address does, how do I get the ipv6 address to resolve?
^
Is Apache configured to listen on IPv4 and IPv6? If not, configure it to do.
how do I get the ipv6 address to resolve? - add them to your powerdns and add AAAA record
I have:
in the httpd.conf is that enough or what do I need to put in there to make it listen on both ipv6 and ipv4?
Read http://httpd.apache.org/docs/2.2/en/bind.html and http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/hints-daemons-apache2..html
I added the ip in plesk 12 and it came up fine and then i gave the ip to a domain in plesk and set my AAAA records but it still isn't showing up. I think I might have my ipv6 gateway address wrong.
My VPS is moved to ali1.ovz1 now!
Any IPv6 in that location soon? Port speed also slower!