# SolusVM Block Ports



## VPSSoldiers (Sep 3, 2015)

So I block port 25 by default on my node(s) and when in doing so for IPv6 (I issue /64 for each VPS) I can still telnet my mail server even when it is supposedly closed on the node. granted I don't think most spammers will be using IPv6 right now but I always try to plan ahead, plus I wrote a script that I run a few times an hour that will automatically create abuse tickets for accounts suspected of spamming and if they haven't resolved it within 24 hours it blocks the ports automatically and I would like to use it on IPv6 as well. I figured something like below would work but haven't had any luck.


```
ip6tables -A FORWARD -p tcp --dport 25 -j DROP
```


----------



## MannDude (Sep 4, 2015)

I do apologize but I don't understand the question fully.

Are you saying that despite blocking port 25 using ip6tables you're still able to access port 25 via telnet? Is that correct?

I'm sure someone will come along shortly and assist .


----------



## wlanboy (Sep 4, 2015)

It depends how you setup the IPV6. Any tunnel service?

INPUT, FORWARD and OUTPUT are separate chains. A packet will only hit one of the three.
If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT.
But if the source and destination are both other servers - it is routed through the server it hits the FORWARD chain.

I would allow my host and drop everthing else:


```
ip6tables -A INPUT -p tcp --dport 25 -s IP-OF-HOST -j ACCEPT
ip6tables -A INPUT -p tcp --dport 25 -j DROP
ip6tables -A FORWARD -p tcp --dport 25 -j DROP
```


----------



## VPSSoldiers (Sep 5, 2015)

> I do apologize but I don't understand the question fully.
> 
> Are you saying that despite blocking port 25 using ip6tables you're still able to access port 25 via telnet? Is that correct?
> 
> I'm sure someone will come along shortly and assist .



Yes I assign users /64s but want to block the whole /48 by default then unblock each /64 upon request. Yes even with the port blocked I can still telnet a ipv6 mail server.



> It  depends how you setup the IPV6. Any tunnel service?
> 
> INPUT, FORWARD and OUTPUT are separate chains. A packet will only hit one of the three.
> If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT.
> ...



With IPv4 I use the forward chain so I would assume it would work the same with IPv6.

Sorry for the delay in replying been trying to get a new job and I don't tend to keep up with my forum accounts when I'm as busy as I have been.


----------



## norival1992 (Feb 9, 2016)

DId you try CSF ???


----------

