ip6tables conntrack 模块不起作用

tag-icon tag-icon linux networking iptables ipv6 ip6tables
ip6tables conntrack 模块不起作用

我正在尝试设置我的设备,以便只有它可以启动与其他主机的网络连接。即,其他主机不应能够启动与设备的连接。

我已使 IPv4 正常运行:

root@kp2:/proc/net# iptables -L 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@kp2:/proc/net# 

root@kp2:/proc/net# ping 192.168.21.4
PING 192.168.21.4 (192.168.21.4) 56(84) bytes of data.
64 bytes from 192.168.21.4: icmp_seq=1 ttl=64 time=0.119 ms
^C

如您所见,我收到了 ping 响应。但是,我无法使用 ipv6 获得类似的功能:

root@kp2:/proc/net# ip6tables -L 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@kp2:/proc/net# ping6 2010::232
PING 2010::232(2010::232) 56 data bytes
^C
--- 2010::232 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms

只是为了向您显示另一端的主机确实存在,只要我允许 INPUT 链上的所有数据包,我就会看到 ping 响应:

root@kp2:/proc/net# ip6tables -P INPUT ACCEPT
root@kp2:/proc/net# ip6tables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@kp2:/proc/net# ping6 2010::232
PING 2010::232(2010::232) 56 data bytes
64 bytes from 2010::232: icmp_seq=1 ttl=64 time=0.214 ms
^C
--- 2010::232 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.214/0.214/0.214/0.000 ms

为什么我可以ping使用 ipv4 网络,但不能使用 ipv6 网络?

答案1

这条规则对我来说似乎不起作用。

ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

但是,我可以使用以下三条规则获得类似的功能,这些规则似乎可以解决问题:

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

但请注意,它接受全部icmp 流量,而不仅仅是相关的流量。

相关内容