Why is iptables rejecting the second and subsequent fragments of an allowed packet?

linux iptables ipv6 ip-fragmentation

Solution 1:

The netfilter code only reassembles fragments for you prior to packet filtering if your firewall rules use connection tracking (i.e. the firewall rule is stateful and uses -m conntrack or the deprecated -m state) or NAT. Otherwise all the fragments are processed separately and you get issues like this one.

This makes resolving the issue easy and obvious (in retrospect, anyway). Just add connection tracking to the firewall rules in question.

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 4500 -j ACCEPT

Or for older Linux systems (e.g. RHEL 5 and earlier):

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

Related

How can I resolve "(Service check did not exit properly)" and "(null)" results with my services?
How to send 0x80 byte to a tcp port using netcat or similar tool?
How to setup client for squid transparent proxy?
Redirect all incoming traffic from a secondary public IP to an internal IP address using iptables
How to change Postgresql database from Read-only to Writable
Different Python versions under the same uwsgi Emperor?
Simulate slow connection between two ubuntu server machines
Configure SSH credentials per environment
Cloudformation fails with "AMI cannot be described"
Nested virtualization - is it possible? [closed]
Can you connect a SAN directly to a HBA with Fibre Channel?
sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_max: No such file or directory