I usually have some default rules in place on all nodes which look about like this:
-A INPUT --in-interface lo -j ACCEPT
-A OUTPUT --out-interface lo -j ACCEPT
-A INPUT -m state --state UNTRACKED -j DROP
-A FORWARD -m state --state UNTRACKED -j DROP
-A OUTPUT -m state --state UNTRACKED -j DROP
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
#handle IPsec only sources/destinations
#allow incoming packets for all established and all related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow incoming ICMP packets
-A INPUT --protocol icmpv6 -j ACCEPT
And the same for IPv4.
The idea with dropping the UNTRACKED/INVALID was that such packages are probably not good fellows and should stay out...
Okay... now with IPv4 everything works as expected...
But with v6 nothing works at all and I get Destination unreachable (even on pings)... I can't even reach the gateway.
When I disable dropping the untracked packets... it starts working,..even when afterwards I enable it again.
Seems that there is some connection between the host an the gateway shown then by conntrack.
Now... question is why?