1 (edited by ThASattler 2020-10-16 23:50:26)

Topic: Mailserver does not answer to a ping request due to nftables.conf

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: DEBIAN 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

With the nftables.conf delivered there is no answer to a ping request, but when the following line in the input chain:

ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

is changed to

ip protocol icmp accept comment "accept all ICMP types"

there is an answer.

But is this a good workaround? Which types are missing?

And what about the definition for ipcmpv6?

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept

2

Re: Mailserver does not answer to a ping request due to nftables.conf

ThASattler wrote:

ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

ping works for me with this rule.

Could you please show me the kernel and nft versions?

uname -r
dpkg -l |grep nft

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Mailserver does not answer to a ping request due to nftables.conf

ZhangHuangbin wrote:

ping works for me with this rule.

Could you please show me the kernel and nft versions?

Kernel:

4.19.0-11-amd64

nft:

ii  libnftables0:amd64  0.9.0-2 amd64     Netfilter nftables high level userspace API library
ii  libnftnl11:amd64     1.1.2-2 amd64     Netfilter nftables userspace API library
ii  nftables                  0.9.0-2 amd64     Program to control packet filtering rules by Netfilter project

4

Re: Mailserver does not answer to a ping request due to nftables.conf

When I add the type "echo-request" to the nftables statement for ICMP the mailserver is answering to a PING request from another server or client.
The following rule is working for me:

ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept