ip6tables-restore: Warning: never matched protocol: 51. use ext

Morta · 2022-01-28 19:43:57

● ip6tables.service - IPv6 Packet Filtering Framework
     Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
     Active: active (exited) since Fri 2022-01-28 19:30:38 UTC; 6s ago
    Process: 92643 ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules (code=exited, status=0/SUCCESS)
   Main PID: 92643 (code=exited, status=0/SUCCESS)
        CPU: 6ms

Jan 28 19:30:38 nas systemd[1]: Starting IPv6 Packet Filtering Framework...
Jan 28 19:30:38 nas ip6tables-restore[92643]: Warning: never matched protocol: 51. use extension match instead.
Jan 28 19:30:38 nas systemd[1]: Finished IPv6 Packet Filtering Framework.

#iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i enp4s0 -j ACCEPT
-A RH-Firewall-1-INPUT -i wlp5s0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 32768:61000 ! --syn -j ACCEPT
# open port 53
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -j ACCEPT
# open port 22
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
# open port ftp rtorrent speedtest tcp
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 20048 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 34841 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 42375 -j ACCEPT

#open port http & https
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
# Completed on Sat Oct 30 15:02:35 2021d

What means this error?

Lone_Wolf · 2022-01-29 11:05:19

No idea atm, but iptables has separate rules for ipv6 and ipv4 (one of the many reasons to switch to its successor, nft ) .

please post ip6tables output .

Last edited by Lone_Wolf (2022-01-29 11:05:36)

-thc · 2022-01-29 11:21:24

ip6tables says: This rule for IP protocol 51 (AH/Authentication header)

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

will never be matched. Use an iptables-extensions module ("ah") match instead.

Morta · 2022-01-29 11:23:22

Lone_Wolf wrote:

No idea atm, but iptables has separate rules for ipv6 and ipv4 (one of the many reasons to switch to its successor, nft ) .
please post ip6tables output .

This is /etc/iptables/ip6tables.rules

I know. I have IPv4 and IPv6 rules separated

So I give a look at nftables but if someone can help I would appreciate!

Morta · 2022-01-29 11:27:29

-thc wrote:

ip6tables says: This rule for IP protocol 51 (AH/Authentication header)
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
will never be matched. Use an iptables-extensions module ("ah") match instead.

Thanks

Ok and what is Module ah? or how should this rule looks proper?

Last edited by Morta (2022-01-29 11:27:56)

Morta · 2022-01-29 11:33:33

Iptables -p ah -j Accept

Is the solutions who give me Google. I will try at home
Or for me

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

Last edited by Morta (2022-01-29 11:37:15)

-thc · 2022-01-29 11:39:43

Something like

A RH-Firewall-1-INPUT -m ah --ahspi spi_of_your_ipsec_connection -j ACCEPT

https://ipset.netfilter.org/iptables-ex … s.man.html
https://en.wikipedia.org/wiki/Security_Parameter_Index

-thc · 2022-01-29 14:35:00

Morta wrote:

I will try at home
Or for me
-A RH-Firewall-1-INPUT -p ah -j ACCEPT

This will result in:

Warning: never matched protocol:ah. use extension match instead

So you will gain nothing.

Why do you have these two rules in your ruleset:

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

What's their purpose?

Last edited by -thc (2022-01-29 14:36:05)

Morta · 2022-01-29 14:41:10

-thc wrote:

Morta wrote:
I will try at home
Or for me
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
This will result in:
Warning: never matched protocol:ah. use extension match instead
So you will gain nothing.
Why do you have these two rules in your ruleset:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
What's their purpose?

Obliviously there are for nothing and I can delete it.

It’s was a sample of a Ipv6 Firewall who I miss interpreted.

Arch Linux

#1 2022-01-28 19:43:57

ip6tables-restore: Warning: never matched protocol: 51. use ext

#2 2022-01-29 11:05:19

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#3 2022-01-29 11:21:24

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#4 2022-01-29 11:23:22

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#5 2022-01-29 11:27:29

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#6 2022-01-29 11:33:33

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#7 2022-01-29 11:39:43

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#8 2022-01-29 14:35:00

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

#9 2022-01-29 14:41:10

Re: ip6tables-restore: Warning: never matched protocol: 51. use ext

Board footer