Hello everyone,
setup: Jetson Nano 2GB RAM, Linux jetson 4.9.253-tegra, based on newest available SD card image
I am trying to use the Jetson Nano 2GB as a home server that I want to reach from outside my home network. When trying to set up the firewall, I ran into some issues that are connected to me using IPv6 (My internet provider only provides DS lite, so i have to use IPv6). Could you help me resolve them?
What works:
When the firewall is disabled, i can access the Port i want.
Error message i get:
When i try to enable the firewall after setting incoming traffic by default to denied but allowing the port i want both for IPv4/6, i get this message when running sudo ufw enable:
ERROR: problem running ufw-init
ip6tables-restore: line 142 failed
Problem running '/etc/ufw/before6.rules'
Things i checked:
I can run the enable ufw again and it does enable it. The problem is though, that i cannot access the IP and port i want anymore even when i allowed it and the rules were set for IPv4/6:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
5938/tcp ALLOW Anywhere
5938/udp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
5938/tcp (v6) ALLOW Anywhere (v6)
5938/udp (v6) ALLOW Anywhere (v6)
22/tcp ALLOW 2001:db8:3c4d:1::/64
So, i went ahead, tried to do a clean reset of the iptables and ufw and setting the defaults. Same result when enabling ufw.
When I check the ufw settings with sudo /usr/share/ufw/check-requirements it tells me:
Has python: pass (binary: python2.7, version: 2.7.17, py2)
Has iptables: pass
Has ip6tables: pass
Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass
This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass
== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: FAIL
error was: ip6tables: No chain/target/match by that name.
FAIL: check your kernel and that you have iptables >= 1.4.0
So i checked the iptables version, which is v1.6.1
I was not sure what to check about the kernel (completely new to kernels). So I tried to run the following commands, which i’m not sure make sense. I hope they help tracking down the issue.
I ran into this forum post,which didn’t help me though, since it has been fixed if i understand it correctly:
$ zcat /proc/config.gz | grep IPV6
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
# CONFIG_IPV6_ILA is not set
# CONFIG_IPV6_VTI is not set
CONFIG_IPV6_SIT=m
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_FOU is not set
# CONFIG_IPV6_FOU_TUNNEL is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_IP_VS_IPV6 is not set
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
CONFIG_NF_NAT_MASQUERADE_IPV6=m
# CONFIG_IP6_NF_MATCH_IPV6HEADER is not set
# CONFIG_AF_RXRPC_IPV6 is not set
$ modinfo ipv6
modinfo: ERROR: Module ipv6 not found.
$ lsmod | grep ipv6
nf_reject_ipv6 5276 1 ip6t_REJECT
nf_log_ipv6 5942 3
nf_conntrack_ipv6 12594 7
nf_defrag_ipv6 10772 1 nf_conntrack_ipv6
nf_log_common 4809 2 nf_log_ipv6,nf_log_ipv4
nf_conntrack 106659 11 nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat
Is this issues related to the kernel? Does someone have an IPv6 setup with firewall running on the jetson nano that works? Do you have an idea what could be causing the issue?
Thanks so much for your help. I’m a bit lost at this point