Sorry for the delay, family obligations and I needed to verify a few things before I reply.
You are right. However with fw3 stop
I get this:
Summary
root@magiatiko / > iptables-save -c
# Generated by iptables-save v1.8.4 on Tue Dec 29 17:25:03 2020
*raw
:PREROUTING ACCEPT [643:303654]
:OUTPUT ACCEPT [79:8611]
COMMIT
# Completed on Tue Dec 29 17:25:03 2020
# Generated by iptables-save v1.8.4 on Tue Dec 29 17:25:03 2020
*nat
:PREROUTING ACCEPT [91:9384]
:INPUT ACCEPT [65:7100]
:OUTPUT ACCEPT [3:156]
:POSTROUTING ACCEPT [13:754]
:dnshijack - [0:0]
[14569:2968604] -A dnshijack -j DNAT --to-destination 10.0.2.2
[0:0] -A dnshijack -j DNAT --to-destination 10.0.2.2
COMMIT
# Completed on Tue Dec 29 17:25:03 2020
# Generated by iptables-save v1.8.4 on Tue Dec 29 17:25:03 2020
*mangle
:PREROUTING ACCEPT [645:303866]
:INPUT ACCEPT [116:16343]
:FORWARD ACCEPT [513:285837]
:OUTPUT ACCEPT [80:8755]
:POSTROUTING ACCEPT [593:294592]
COMMIT
# Completed on Tue Dec 29 17:25:03 2020
# Generated by iptables-save v1.8.4 on Tue Dec 29 17:25:03 2020
*filter
:INPUT ACCEPT [2:212]
:FORWARD ACCEPT [2:173]
:OUTPUT ACCEPT [3:276]
:banIP - [0:0]
[0:0] -A banIP -o pppoe-wan -m conntrack --ctstate NEW -m set --match-set whitelist dst -j RETURN
[0:0] -A banIP -o tun2 -m conntrack --ctstate NEW -m set --match-set whitelist dst -j RETURN
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set whitelist src -j RETURN
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set whitelist src -j RETURN
[0:0] -A banIP -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set blacklist src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set blacklist src -j DROP
[0:0] -A banIP -o tun2 -m conntrack --ctstate NEW -m set --match-set blacklist dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -o pppoe-wan -m conntrack --ctstate NEW -m set --match-set blacklist dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set tor src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set tor src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set threat src -j DROP
[33:1452] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set threat src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set debl src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set debl src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set myip src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set myip src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set yoyo src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set yoyo src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set sslbl src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set sslbl src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set feodo src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set feodo src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set dshield src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set dshield src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set proxy src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set proxy src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set iblocklist src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set iblocklist src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set drop src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set drop src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set edrop src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set edrop src -j DROP
[0:0] -A banIP -i tun2 -m conntrack --ctstate NEW -m set --match-set bogon src -j DROP
[0:0] -A banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set bogon src -j DROP
[0:0] -A banIP -o tun2 -m conntrack --ctstate NEW -m set --match-set bogon dst -j REJECT --reject-with icmp-port-unreachable
[0:0] -A banIP -o pppoe-wan -m conntrack --ctstate NEW -m set --match-set bogon dst -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Dec 29 17:25:03 2020
which means that banIP chain should not be used, because it is defined but never called.
The interesting detail I found out is that the fw3 stop
doesn't have effect in ip6tables, can someone confirm this too?
I can verify now that the culprit for the dropped packets is bogon6 ipset. I added this logging line:
ip6tables -I banIP -i pppoe-wan -m conntrack --ctstate NEW -m set --match-set bogon_6 src -j LOG --log-prefix "BOGON6 :"
since that was the only entry in the banIP chain with increasing hits.
Turns out it is indeed dropping:
Tue Dec 29 18:02:58 2020 kern.warn kernel: [586990.009710] BOGON6 :IN=pppoe-wan OUT= MAC= SRC=fe80:0000:0000:0000:0000:0000:0000:010c DST=fe80:0000:0000:0000:4415:b44e:6dea:2350 LEN=161 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=547 DPT=546 LEN=121
Tue Dec 29 18:03:02 2020 kern.warn kernel: [586994.245495] BOGON6 :IN=pppoe-wan OUT= MAC= SRC=fe80:0000:0000:0000:0000:0000:0000:010c DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=187 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=5678 DPT=5678 LEN=147
Tue Dec 29 18:04:02 2020 kern.warn kernel: [587054.231104] BOGON6 :IN=pppoe-wan OUT= MAC= SRC=fe80:0000:0000:0000:0000:0000:0000:010c DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=187 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=5678 DPT=5678 LEN=147
Tue Dec 29 18:04:57 2020 kern.warn kernel: [587108.795173] BOGON6 :IN=pppoe-wan OUT= MAC= SRC=fe80:0000:0000:0000:0000:0000:0000:010c DST=fe80:0000:0000:0000:4415:b44e:6dea:2350 LEN=161 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=547 DPT=546 LEN=121
The only hits I can see are for 8000::/1 which includes the link local addresses.
This is bad aggregate as it won't let the dhcp replies from link local address.
As a workaround I have added the fc00::/6
in whitelist. Maybe something you could consider @dibdot to avoid any future problems and be in line with the default firewall rule, which allows the same for dhcp6 purposes.
Still I didn't understand why did it work sometimes and sometimes it didn't...