February 21, 2016
HE & DigitalOcean - Blocked IPv6 ports
I recently created several Virtual Machines on my new Hetzner server as part of my migration efforts from DigitalOcean to my self-hosted ESXi hypervisor. I don’t migrate my VMs and services away from DigitalOcean because I am not satisfied with their service, quite the contrary in fact. I am doing it because my own self-hosted hypervisor allows more flexibility for my learning and testing efforts.
While double-checking the VMs for running services and open ports, I noticed that my Hurricane Electric IPv6 address has some filtered ports that I did not notice before:
I looked at the Hurricane Electric FAQ and it explains why these ports are filtered and how to get these ports un-blocked:
Why can I not connect to IRC?
Due to a high and persistent amount of abuse, we’ve had to filter IRC access by default. If you need IRC access, complete the Sage level of the free IPv6 certification and then please send an email to email@example.com explaining your situation. Approvals will be handled on a case-by-case basis.I can’t send email via IPv6. What’s wrong?
Due to a high and persistent amount of abuse, we had to filter SMTP (tcp/25) connections by default. If you’re not providing email service yourself, you should be able to use port 587 instead to your provider’s email server. If you are providing email services over your tunnel and need port 25 opened, please send an email to firstname.lastname@example.org explaining your situation. NOTE: this filtering does not affect the SMTP-related tests on the IPv6 certification program.
Pretty straight-forward and well-explained. Knowing that these ports are blocked, I wanted to use one of my IPv6-enabled DigitalOcean droplets as this should not filter anything and give me an unaltered list of open ports:
Man, I was so wrong! It looks like DigitalOcean is blocking ports as well, though their blocking made much less sense to me. I could not find anything in the help section on their homepage, but was able to find an article in their ‘Support Center’ that is accessible once you log in:
How to send emails with IPv6 enabled
We currently do not allow SMTP traffic over IPv6 as a side effect of how email black lists treat IPv6 addresses.You can give priority to IPv4 addresses over IPv6 so that you can continue to send out email without disabling IPv6. You would do that by editing the Droplet’s /etc/gai.conf file and removing the comment (#) from the following line:Default Configuration: #precedence ::ffff:0:0/96 100
Configuration with Priority to IPv4: precedence ::ffff:0:0/96 100
As mentioned in a comment on their “How To Enable IPv6 for DigitalOcean Droplets” site, there seems to be no way of getting rid of these restrictions. Even when you contact their support on this specific issue.
Lesson learned: Always use additional external tools — like MXTools — to verify your VM’s open ports, if your source IPv6 address is from DigitalOcean or Hurricane Electric!