IPV6 firewall issues

Hello everyone,

setup: Jetson Nano 2GB RAM, Linux jetson 4.9.253-tegra, based on newest available SD card image

I am trying to use the Jetson Nano 2GB as a home server that I want to reach from outside my home network. When trying to set up the firewall, I ran into some issues that are connected to me using IPv6 (My internet provider only provides DS lite, so i have to use IPv6). Could you help me resolve them?

What works:
When the firewall is disabled, i can access the Port i want.

Error message i get:
When i try to enable the firewall after setting incoming traffic by default to denied but allowing the port i want both for IPv4/6, i get this message when running sudo ufw enable:

ERROR: problem running ufw-init
ip6tables-restore: line 142 failed

Problem running '/etc/ufw/before6.rules'

Things i checked:
I can run the enable ufw again and it does enable it. The problem is though, that i cannot access the IP and port i want anymore even when i allowed it and the rules were set for IPv4/6:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       192.168.1.0/24
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
5938/tcp                   ALLOW       Anywhere
5938/udp                   ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
5938/tcp (v6)              ALLOW       Anywhere (v6)
5938/udp (v6)              ALLOW       Anywhere (v6)
22/tcp                     ALLOW       2001:db8:3c4d:1::/64

So, i went ahead, tried to do a clean reset of the iptables and ufw and setting the defaults. Same result when enabling ufw.

When I check the ufw settings with sudo /usr/share/ufw/check-requirements it tells me:

Has python: pass (binary: python2.7, version: 2.7.17, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: FAIL
error was: ip6tables: No chain/target/match by that name.

FAIL: check your kernel and that you have iptables >= 1.4.0

So i checked the iptables version, which is v1.6.1

I was not sure what to check about the kernel (completely new to kernels). So I tried to run the following commands, which i’m not sure make sense. I hope they help tracking down the issue.

I ran into this forum post,which didn’t help me though, since it has been fixed if i understand it correctly:

$ zcat /proc/config.gz | grep IPV6
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
# CONFIG_IPV6_ILA is not set
# CONFIG_IPV6_VTI is not set
CONFIG_IPV6_SIT=m
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_FOU is not set
# CONFIG_IPV6_FOU_TUNNEL is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_IP_VS_IPV6 is not set
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_CONNTRACK_IPV6=m
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
CONFIG_NF_NAT_MASQUERADE_IPV6=m
# CONFIG_IP6_NF_MATCH_IPV6HEADER is not set
# CONFIG_AF_RXRPC_IPV6 is not set
$ modinfo ipv6
modinfo: ERROR: Module ipv6 not found.
$ lsmod | grep ipv6
nf_reject_ipv6          5276  1 ip6t_REJECT
nf_log_ipv6             5942  3
nf_conntrack_ipv6      12594  7
nf_defrag_ipv6         10772  1 nf_conntrack_ipv6
nf_log_common           4809  2 nf_log_ipv6,nf_log_ipv4
nf_conntrack          106659  11 nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat

Is this issues related to the kernel? Does someone have an IPv6 setup with firewall running on the jetson nano that works? Do you have an idea what could be causing the issue?

Thanks so much for your help. I’m a bit lost at this point

UPDATE:
I also tried to do the same steps on a fresh install of an Odroid XU4 runnibg Ubuntu Mate 18.04. So, the way i set it up seems to be correct. Any ideas why the firewall on the Jetson Nano blocks ports that i specifically allowed?

I don’t know if the IPV6 firewall have been tested, and don’t know if can work, may other developers help to share experience.