{"id":6806,"date":"2014-04-23T08:07:32","date_gmt":"2014-04-23T08:07:32","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/23\/ipv6-connect-b-to-a-works-a-to-b-fails-with-bs-syn-ack-receiving-icmp-destination-unreachable-prohibited-collection-of-common-programming-errors\/"},"modified":"2014-04-23T08:07:32","modified_gmt":"2014-04-23T08:07:32","slug":"ipv6-connect-b-to-a-works-a-to-b-fails-with-bs-syn-ack-receiving-icmp-destination-unreachable-prohibited-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/23\/ipv6-connect-b-to-a-works-a-to-b-fails-with-bs-syn-ack-receiving-icmp-destination-unreachable-prohibited-collection-of-common-programming-errors\/","title":{"rendered":"IPv6 connect B to A works, A to B fails with B's SYN-ACK receiving ICMP destination unreachable prohibited-Collection of common programming errors"},"content":{"rendered":"

I’m testing on IPv6. A is a server in a Cogent colo with native IPv6, call it 2001:db8:1111::1. B is a Mac mini behind an Airport Extreme router behind ISP Comcast; the router is set up to use anycast 6to4, and B is let’s say 2002:c000:202::2.<\/p>\n

On B, ssh 2001:db8:1111::1<\/code> works just fine.<\/p>\n

On A, ssh 2002:c000:202::2<\/code> times out. (Same for any other TCP connection.) Running tcpdump -nnvvvSs0<\/code> on B, I can see that the SYN packet from A reaches B just fine, but the SYN-ACK packet back from B to A is told “destination unreachable, unreachable prohibited”:<\/p>\n

12:16:42.266203 IP6 (hlim 51, next-header TCP (6) payload length: 40) 2001:db8:1111::1.43263 > 2002:c000:201::2.22: Flags [S], cksum 0x6c79 (correct), seq 102729844, win 5760, options [mss 1440,sackOK,TS val 749393277 ecr 0,nop,wscale 7], length 0\n12:16:42.266330 IP6 (flowlabel 0xb4ac1, hlim 64, next-header TCP (6) payload length: 44) 2002:c000:202::2.22 > 2001:db8:1111::1.43263: Flags [S.], cksum 0xa0e9 (correct), seq 122191294, ack 102729845, win 65535, options [mss 1440,nop,wscale 3,nop,nop,TS val 1053035827 ecr 749393277,sackOK,eol], length 0\n12:16:42.403695 IP6 (hlim 51, next-header ICMPv6 (58) payload length: 92) 2001:db8:1111::1 > 2002:c000:202::2: [icmp6 sum ok] ICMP6, destination unreachable, length 92,  unreachable prohibited 2001:db8:1111::1\n<\/code><\/pre>\n
It definitely seems striking that B can send a SYN to A and set up a connection, but B’s SYN-ACK is rejected. Where should I look next to see why this is happening?<\/p>\n
Edit:<\/strong> Here’s the \/etc\/sysconfig\/ip6tables<\/code> from the server A:<\/p>\n
*filter\n:INPUT ACCEPT [0:0]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n:RH-Firewall-1-INPUT - [0:0]\n-A INPUT -j RH-Firewall-1-INPUT\n-A FORWARD -j RH-Firewall-1-INPUT\n-A RH-Firewall-1-INPUT -i lo -j ACCEPT\n-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT\n-A RH-Firewall-1-INPUT -p 50 -j ACCEPT\n-A RH-Firewall-1-INPUT -p 51 -j ACCEPT\n-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT\n#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT\n#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT\n#-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT\n#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT\n-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT\n-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT\n-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT\n-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT\n-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT\n-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -j ACCEPT\n-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited\n-A RH-Firewall-1-INPUT -j DROP\n\nCOMMIT\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
I’m testing on IPv6. A is a server in a Cogent colo with native IPv6, call it 2001:db8:1111::1. B is a Mac mini behind an Airport Extreme router behind ISP Comcast; the router is set up to use anycast 6to4, and B is let’s say 2002:c000:202::2. On B, ssh 2001:db8:1111::1 works just fine. On A, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6806","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6806"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6806\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}